Bug 221347
| Summary: | SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t). | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 10 | CC: | brian, dave-bugzilla, dwalsh, jkubin, mark, mcepl, mgrepl | ||||||
| Target Milestone: | --- | Keywords: | Reopened, SELinux | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-11-18 09:31:00 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Matěj Cepl
2007-01-03 23:09:26 UTC
Created attachment 144750 [details]
export from setroubleshootd
With updated system, I am not able to reproduce this again. Sorry for bothering. This is a duplicate of bug 215722. I am still experiencing this bug - see my comments there. Actually, I was mistaken, this bug still alive and kicking (on Fedora, RHEL seems to be OK so far), but instead of /boot problems are in different directories. Exactly, what bug 215722 describes. *** This bug has been marked as a duplicate of 215722 *** I am sorry, but I have to reopen this beauty. Using freshly upgraded F10 to F10-updates and switching the principal user of this computer to staff_u (I don't any of this should be relevant, but just to be complete) and I get this on the restart of the computer: Souhrn: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t). Podrobný popis: SELinux denied access requested by smtpd. It is not expected that this access is required by smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /boot, restorecon -v '/boot' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:postfix_smtpd_t Kontext cíle system_u:object_r:boot_t Objekty cíle /boot [ dir ] Zdroj smtpd Cesta zdroje /usr/libexec/postfix/smtpd Port <Neznámé> Počítač viklef RPM balíčky zdroje postfix-2.5.5-2.fc10 RPM balíčky cíle filesystem-2.4.19-1.fc10 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 3 Poprvé viděno Po 24. listopad 2008, 21:53:09 CET Naposledy viděno Po 24. listopad 2008, 21:58:21 CET Místní ID 6c8d8e04-6693-4e0e-9536-2042dd81de28 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227560301.613:27): avc: denied { getattr } for pid=3593 comm="smtpd" path="/boot" dev=sda1 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=viklef type=SYSCALL msg=audit(1227560301.613:27): arch=40000003 syscall=195 success=no exit=-13 a0=bfcd9376 a1=bfcd976c a2=81eff4 a3=bfcd937c items=0 ppid=2569 pid=3593 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) =========================================================== and yet another one: Souhrn: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t). Podrobný popis: SELinux denied access requested by smtpd. It is not expected that this access is required by smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home, restorecon -v '/home' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:postfix_smtpd_t Kontext cíle system_u:object_r:home_root_t Objekty cíle /home [ dir ] Zdroj smtpd Cesta zdroje /usr/libexec/postfix/smtpd Port <Neznámé> Počítač viklef RPM balíčky zdroje postfix-2.5.5-2.fc10 RPM balíčky cíle filesystem-2.4.19-1.fc10 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 3 Poprvé viděno Po 24. listopad 2008, 21:53:09 CET Naposledy viděno Po 24. listopad 2008, 21:58:21 CET Místní ID a314cba1-c555-4072-8d06-5157e7b5f370 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227560301.613:28): avc: denied { getattr } for pid=3593 comm="smtpd" path="/home" dev=dm-5 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir node=viklef type=SYSCALL msg=audit(1227560301.613:28): arch=40000003 syscall=195 success=no exit=-13 a0=bfcd937d a1=bfcd976c a2=81eff4 a3=bfcd9383 items=0 ppid=2569 pid=3593 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) =========================================================== If we are talking about the same bug, then I think you need to know also the list of my partitions [matej@viklef ~]$ mount /dev/mapper/vg00-lvRoot on / type ext4 (rw) /proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on /boot type ext3 (rw) /dev/mapper/home on /home type ext3 (rw) tmpfs on /tmp type tmpfs (rw) tmpfs on /dev/shm type tmpfs (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) fusectl on /sys/fs/fuse/connections type fusectl (rw) gvfs-fuse-daemon on /home/matej/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matej) [matej@viklef ~]$ And yes, comment 3 is probably right -- there is more information available in the bug 215722 including some of my attempts to understand what's going and interview with folks on #postfix IRC channel. Created attachment 324539 [details] /var/log/audit/audit.log Some explanation of what's going on is IMHO in attachment 154182 [details]. Testing this module:
policy_module(mypostfix, 1.1)
require{ type postfix_smtpd_t;}
fs_getattr_all_dirs(postfix_smtpd_t)
and let's see what happens.
Still generating AVC denials like this: Souhrn: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t). Podrobný popis: SELinux denied access requested by smtpd. It is not expected that this access is required by smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home, restorecon -v '/home' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje system_u:system_r:postfix_smtpd_t Kontext cíle system_u:object_r:home_root_t Objekty cíle /home [ dir ] Zdroj smtpd Cesta zdroje /usr/libexec/postfix/smtpd Port <Neznámé> Počítač viklef RPM balíčky zdroje postfix-2.5.5-2.fc10 RPM balíčky cíle filesystem-2.4.19-1.fc10 RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 4 Poprvé viděno Po 24. listopad 2008, 23:23:38 CET Naposledy viděno Po 24. listopad 2008, 23:23:41 CET Místní ID 67fc43ed-cb35-4fde-8fc5-92770cd197c9 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227565421.734:212): avc: denied { getattr } for pid=5564 comm="smtpd" path="/home" dev=dm-5 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir node=viklef type=SYSCALL msg=audit(1227565421.734:212): arch=40000003 syscall=195 success=no exit=-13 a0=bfd07bad a1=bfd07f9c a2=81eff4 a3=bfd07bb3 items=0 ppid=2569 pid=5564 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) Trying to add fs_getattr_all_fs(postfix_smtpd_t) to the module and let's see what happens. In hopeless attempt to avoid AVC denials throwing output of audit2allow to the mix as well:
policy_module(mypostfix, 1.3)
require{
type postfix_smtpd_t;
type boot_t;
type home_root_t;
class dir getattr;
}
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
allow postfix_smtpd_t boot_t:dir getattr;
allow postfix_smtpd_t home_root_t:dir getattr;
and now it seems to be gone Fixed in selinux-policy-3.5.13-25.fc10 This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping When I remove my module and upgrade selinux-policy to selinux-policy-targeted-3.5.13-26.fc10.noarch AVC denials are back. Please attach the current avc messages. Hi, This is happening after the last round of F10 updates involving postfix. postfix-2.5.6-1.fc10.i386.rpm selinux-policy-targeted-3.5.13-45.fc10.noarch.rpm Summary: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by smtpd. It is not expected that this access is required by smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /boot, restorecon -v '/boot' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:postfix_smtpd_t:s0 Target Context system_u:object_r:boot_t:s0 Target Objects /boot [ dir ] Source smtpd Source Path /usr/libexec/postfix/smtpd Port <Unknown> Host admin.brianac.com.au Source RPM Packages postfix-2.5.6-1.fc10 Target RPM Packages filesystem-2.4.19-1.fc10 Policy RPM selinux-policy-3.5.13-45.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name admin.brianac.com.au Platform Linux admin.brianac.com.au 2.6.27.15-170.2.24.fc10.i686.PAE #1 SMP Wed Feb 11 23:35:37 EST 2009 i686 athlon Alert Count 294 First Seen Thu 26 Feb 2009 20:46:08 EST Last Seen Mon 02 Mar 2009 10:46:05 EST Local ID cbf2bcef-ae64-4d65-bd35-e8226a7d35a1 Line Numbers Raw Audit Messages node=admin.brianac.com.au type=AVC msg=audit(1235954765.372:3918): avc: denied { getattr } for pid=11567 comm="smtpd" path="/boot" dev=sda2 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=admin.brianac.com.au type=SYSCALL msg=audit(1235954765.372:3918): arch=40000003 syscall=195 success=yes exit=0 a0=bfe00176 a1=bfe0056c a2=811ff4 a3=bfe0017c items=0 ppid=2421 pid=11567 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) Miroslav, add files_search_all_mountpoints(postfix_$1_t) to postfix_domain_template In postfix.if Looks like postfix wants to search all the directories that are mounted on. Fixed in selinux-policy-3.5.13-48.fc10 Is this also going to be fixed in EL5? I'm seeing what appears to be the same problem with selinux-policy-2.4.6-203.el5 Check out 5.4 preview policy on http://people.redhat.com/dwalsh/SELinux/RHEL5 It should be in there. Thank you; that appears to have cleared up my problem. This being the second time you've had the fix in that directory, perhaps I'll try to remember to check there, first. ;-) If we see a problem in Fedora that will effect RHEL5 we will back port the fix and put it into the next RHEL Update release. This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |