Bug 169233
Summary: | postfix.te don't have enough rules for postfix | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gabriel Ramirez <gabriello.ramirez> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 1.27.1-2.3 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-09-29 13:28:55 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Gabriel Ramirez
2005-09-25 18:42:22 UTC
Created attachment 119239 [details]
selinux rules to allow postfix to work
also I have nscd don't working I have to add the first two rules to fix it, I
don't write about it in the bug report, but when I see the local.te I remember
it
Created attachment 119241 [details]
supercedes the first local.te I sent, because the first files is missing some rules
Fixed in selinux-policy-targeted-1.27.1-2.3 I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases file in a users home directory. Postfix won't start with 'service postfix start' but will start with /usr/sbin/postfix start. I get the following audit messages type=AVC msg=audit(1127900117.911:87647): avc: denied { search } for pid=31585 comm="postalias" name="/" dev=dm-2 ino=2 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias" type=CWD msg=audit(1127900117.911:87647): cwd="/" type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases" flags=101 inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 I have the following file permissions # ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases drwxr-xr-x root root system_u:object_r:root_t / drwxr-xr-x root root system_u:object_r:home_root_t /home drwxrwsr-x mud mud user_u:object_r:user_home_dir_t /home/mud drwxrwsr-x mud mud user_u:object_r:user_home_t /home/mud/etc -rw-rw-r-- mud mud system_u:object_r:etc_aliases_t /home/mud/etc/aliases The audit2allow command recommends the following # audit2allow -l -i audit.log allow postfix_master_t home_root_t:dir search; allow postfix_master_t unconfined_t:process signal; (In reply to comment #3) > Fixed in selinux-policy-targeted-1.27.1-2.3 > I downloaded it from testing-updates and I'm able to receive my emails, I restarted the postfix daemon to be sure of any AVC messages, but none show up, well only about search winbind_var_run_t, but don't have any ill effects from that AVCs so it's fixed thanks (In reply to comment #4) > I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases > file in a users home directory. Postfix won't start with 'service postfix start' > but will start with /usr/sbin/postfix start. I get the following audit messages > > type=AVC msg=audit(1127900117.911:87647): avc: denied { search } for > pid=31585 comm="postalias" name="/" dev=dm-2 ino=2 > scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t > tclass=dir > type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no > exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" > exe="/usr/sbin/postalias" > type=CWD msg=audit(1127900117.911:87647): cwd="/" > type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases" > flags=101 inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 > > I have the following file permissions > > # ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases > drwxr-xr-x root root system_u:object_r:root_t / > drwxr-xr-x root root system_u:object_r:home_root_t /home > drwxrwsr-x mud mud user_u:object_r:user_home_dir_t /home/mud > drwxrwsr-x mud mud user_u:object_r:user_home_t /home/mud/etc > -rw-rw-r-- mud mud system_u:object_r:etc_aliases_t /home/mud/etc/aliases > > The audit2allow command recommends the following > # audit2allow -l -i audit.log > allow postfix_master_t home_root_t:dir search; > allow postfix_master_t unconfined_t:process signal; You can try the 1.27.1-2.3 version, but I'm almost sure you will have to add some rules you will need install selinux-policy-targeted-sources and edit /etc/selinux/targeted/src/policy/domains/misc/local.te and after that move to /etc/selinux/targeted/src/policy/domains/ and type make load The goal with SELinux is to protect the userspace from the system space, so allowing postfix to read users home directories is not something we want to do, or if we do allow it, it would need a boolean. I installed selinux-policy-targeted-1.27.1-2.3 in a Thinkpad, it was running 1.25 but I tried to restart postfix with service postfix restart three times and all of them reported [Failed] in audit.log I found this type=AVC msg=audit(1127938138.969:57): avc: denied { signal } for pid=9283 co mm="postfix-script" scontext=system_u:system_r:postfix_master_t tcontext=system_ u:system_r:initrc_t tclass=process I don't touch the policy and rebooted the machine, and postfix started well, my question is I have to restart the machine always after update the selinux-policy? thanks in advance No you should not need to reboot the machine. I am not sure what caused this problem. |