Bug 195018
| Summary: | domain_auto_trans(postfix_pipe_t,...) doesn't work as it should(?) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | QingLong <qinglong> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-06-15 14:58:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Try using audit2why on the avc message. I believe you are missing a role transition role system_r types ql_spamassassin_client_t; BTW, bring this up for discussion on Fedora-SELinux-List |
Description of problem: I have avc denials in audit log about postfix_pipe_t trying to use execute_no_trans to execute my shell script (labeled to custom se domain), while I do have proper domain_auto_trans(postfix_pipe_t,...) for it. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.43-4.fc5 How reproducible: For my installation it is 100% reproducible. Steps to Reproduce: 1. Create custom module (mine is ql_spamassassin) with: type ql_spamassassin_client_exec_t; files_type(ql_spamassassin_client_exec_t) type ql_spamassassin_client_t; domain_type(ql_spamassassin_client_t) domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t) domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t) 2. Label a shell script in /usr/local/sbin/ as ql_spamassassin_client_exec_t. 3. Create pipe-based transport in /etc/postfix/master.cf that uses that script. 4. Send an email so that it would go through that pipe transport Actual results: Postfix pipe tries to execute the script with `execute_no_trans' rather than `execute' with further automatic domain transition and hence fails: type=AVC msg=audit(1150291179.693:6367): avc: denied { execute_no_trans } forpid=21379 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=root:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file Expected results: SElinux should allow postfix_pipe_t execute the ql_spamassassin_client_exec_t labeled script with automayic process domain transition to ql_spamassassin_client_t. Additional info: I have tried to ask about it on fedora-selinux-list, but got no answer, so I guess this is a bug rather than a feature.