Bug 172185
| Summary: | Additional rules needed for postfix to run | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chris Croome <chris> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-11-03 12:39:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
file_t indicates that you have a very badly labeled file system. Perhaps you booted with selinux=0 or added a new disk, you need to relabel the machine you can do this with touch /.autorelabel reboot Hmm... I think this issue is caused by the encrypted partitions I have set up,
/home/ and /etc/crypt/ (where the Postfix TLS key is) are manually mounted after
booting (and postfix is manually started).
These partitions have been set up using the Fedora cryptsetup-luks package.
I did a relabel as suggested and after that I had to add these lines to postfix.te:
allow postfix_master_t user_home_dir_t:dir search;
allow postfix_smtpd_t default_t:dir getattr;
And these to spamd.te before things started working properly again:
allow spamd_t file_t:dir { getattr search };
allow spamd_t file_t:dir write;
allow spamd_t file_t:file getattr;
allow spamd_t file_t:dir add_name;
allow spamd_t file_t:file create;
allow spamd_t file_t:dir remove_name;
allow spamd_t file_t:file write;
allow spamd_t file_t:file { link unlink };
allow spamd_t file_t:file unlink;
allow spamd_t file_t:file { ioctl read };
allow spamd_t file_t:file append;
I guess this is just a side effect using using some crypted partitions...?
|
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Fedora/1.7.12-1.5.1 Description of problem: I'm using the FC4 postfix with procmail to deliver to mbox files in users directories and also TLS and the default SELinux targeted policy prevents these things working. If I add the following to /etc/selinux/targeted/src/policy/domains/program/postfix.te and run: cd /etc/selinux/targeted/src/policy; make load Then things work OK... allow postfix_smtp_t file_t:dir search; allow postfix_smtpd_t file_t:dir getattr; allow postfix_master_t file_t:dir getattr; allow postfix_cleanup_t file_t:dir getattr; allow postfix_master_t policy_src_t:dir search; allow postfix_local_t file_t:dir search; allow postfix_local_t file_t:file { getattr read }; allow postfix_local_t file_t:file read; allow postfix_smtpd_t boot_t:dir getattr; allow postfix_smtpd_t file_t:dir search; allow postfix_local_t file_t:dir getattr; allow postfix_local_t file_t:dir write; allow postfix_local_t file_t:dir add_name; allow postfix_local_t file_t:file append; allow postfix_local_t file_t:file { create lock }; allow postfix_local_t file_t:file lock; allow postfix_local_t file_t:dir remove_name; allow postfix_local_t file_t:file link; allow postfix_local_t file_t:dir remove_name; allow postfix_local_t file_t:file { unlink write }; allow postfix_local_t file_t:file unlink; Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set up postfix to deliver to mboxes 2. Set up postfix to use TLS 3. Enable the default SELinux targeted policy Actual Results: Lots of errors in /var/log/audit.log and /var/log/maillog -- postfix was unable to read the TLS certs and was unable to deliver to mboxes in users home directories. Expected Results: Mail should have been delivered and TLS shoudl have worked... Additional info: I have also discovered that any edits one makes to files such as /etc/selinux/targeted/src/policy/domains/program/postfix.te get clobbered on upgrades... now I have saved these rules in a seperate file...