Bug 2255775

Summary: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
Product: [Fedora] Fedora Reporter: mark preston <mark>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 40CC: dwalsh, jskarvad, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-40.24-1.fc40 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-07-19 01:45:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mark preston 2023-12-24 21:05:49 UTC 
messages getting  logged:

2023-12-24T00:00:07.708598-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf. For complete SELinux messages run: sealert -l 5d405514-2351-41a9-89ee-e44de33677f6

2023-12-24T00:00:07.747543-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that smtpd should be allowed getattr access on the my.cnf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd#012# semodule -X 300 -i my-smtpd.pp#012

2023-12-24T00:00:07.809321-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d. For complete SELinux messages run: sealert -l f32c69a4-53dd-4513-8358-4228369f5563

2023-12-24T00:00:07.838495-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that smtpd should be allowed search access on the my.cnf.d directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd#012# semodule -X 300 -i my-smtpd.pp#012

The issue seems to be these two:
SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d

I've had SElinux complain for years about it denying smtpd  getattr/read access on /etc/my.cnf
recently and i'm not sure when it started it now complains about denying search on /etc/my.cnf.d

postfix is configured to use mysql and it works well. however it is annoying to get this message logged over and over.  I don't have anything in my.cnf or the dir but if i did then smtpd would need access to those.   I think the SELinux config for postfix should include access to these objects.   My guess it was over looked.  I can't find any know bugs open on this so i'm opening this one. 


Reproducible: Always

Steps to Reproduce:
1.have a system with SELinux installed
2.install postfix and configure it to use mysql/mariadb for maps/auth/alias or other things of that nature
3.this will get logged when smtpd process email
Actual Results:  
SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d

Expected Results:  
smtpd should have read access to the mysql/mariadb config files has it does use sql

let me know if you need any additional info.  This has been going on for years and I finally got around to filing a bug on it.
Comment 1 Jaroslav Škarvada 2024-01-02 19:20:40 UTC 
Reassigning to selinux.
Comment 2 mark preston 2024-07-08 18:38:48 UTC 
why is this not getting any traction?  it is still an issue in FC40
Comment 3 Zdenek Pytela 2024-07-09 15:48:04 UTC 
Unfortunately, there are data missing in the report, especially audit logs or journal. Can you try the following steps?

# cat local_postfix_mysql.cil
(allow postfix_smtpd_t mysqld_etc_t (dir (search)))
(allow postfix_smtpd_t mysqld_etc_t (file (getattr)))
# semodule -i local_postfix_mysql.cil
# setenforce 0
<reproduce, restart the service)
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
# setenforce 1
Comment 4 mark preston 2024-07-11 13:32:56 UTC 
I hope this helps. Sorry but i did a reboot before the issue repeated and forgot the selinux state reset.

root@mail #  ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
q_depth should be larger than 512 for safety margin
----
type=AVC msg=audit(07/11/2024 01:30:01.035:4609) : avc:  denied  { read } for  pid=129400 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 01:30:01.035:4610) : avc:  denied  { open } for  pid=129400 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:31:06.604:4667) : avc:  denied  { read } for  pid=129674 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:31:06.604:4668) : avc:  denied  { open } for  pid=129674 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:36:02.832:4673) : avc:  denied  { read } for  pid=129713 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:36:02.832:4674) : avc:  denied  { open } for  pid=129713 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:37:07.736:4679) : avc:  denied  { read } for  pid=129713 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:37:07.736:4680) : avc:  denied  { open } for  pid=129713 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1
Comment 5 Zdenek Pytela 2024-07-12 15:04:27 UTC 
Thank you.
Comment 6 Fedora Update System 2024-07-17 16:15:20 UTC 
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc
Comment 7 Fedora Update System 2024-07-18 04:59:06 UTC 
FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2024-07-19 01:45:59 UTC 
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.