Bug 2066005
| Summary: | SELinux is preventing /usr/libexec/postfix/lmtp from write access on the sock_file lmtp. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Brian J. Murrell <brian> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.5 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.7 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-98.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-08 10:44:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Commit to backport:
commit 08def7c154b5be4ce7b11643d71d59fe98ea2bfc
Author: Zdenek Pytela <zpytela>
Date: Wed Feb 26 20:52:09 2020 +0100
Allow postfix stream connect to cyrus through runtime socket
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7691 |
When using the default /run/cyrus/socket/lmtp path for the lmtp socket defined in /etc/cyrus.conf the following AVC is logged. SELinux is preventing /usr/libexec/postfix/lmtp from write access on the sock_file lmtp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lmtp should be allowed write access on the lmtp sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'lmtp' --raw | audit2allow -M my-lmtp # semodule -X 300 -i my-lmtp.pp Additional Information: Source Context system_u:system_r:postfix_smtp_t:s0 Target Context system_u:object_r:cyrus_var_run_t:s0 Target Objects lmtp [ sock_file ] Source lmtp Source Path /usr/libexec/postfix/lmtp Port <Unknown> Host server.interlinx.bc.ca Source RPM Packages postfix-3.5.8-2.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch Local Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server.interlinx.bc.ca Platform Linux server.interlinx.bc.ca 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Wed Jan 19 14:35:04 EST 2022 x86_64 x86_64 Alert Count 12 First Seen 2022-02-28 07:25:03 EST Last Seen 2022-02-28 07:29:30 EST Local ID 51515fa6-d6c9-4bce-9e3f-0cfd714d91e9 Raw Audit Messages type=AVC msg=audit(1646051370.955:83893): avc: denied { write } for pid=3086610 comm="lmtp" name="lmtp" dev="tmpfs" ino=204371594 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:cyrus_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1646051370.955:83893): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7ffe7e27ebb0 a2=6e a3=11 items=0 ppid=4904 pid=3086610 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=lmtp exe=/usr/libexec/postfix/lmtp subj=system_u:system_r:postfix_smtp_t:s0 key=(null) Hash: lmtp,postfix_smtp_t,cyrus_var_run_t,sock_file,write