Bug 243989

Summary: Postfix virtual transport not working with selinux
Product: [Fedora] Fedora Reporter: Rafał Dutko <raf>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 6CC: software
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:02:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC denials log
none
Denials log after chcon -t postfix_local_exec_t
none
Denials log after chcon -t postfix_local_exec_t and setenforce 0 none

Description Rafał Dutko 2007-06-13 09:33:07 UTC 
Description of problem:
SELinux is preventing postfix to work with virtual transport. I look into 
policy sources and there is no strict rules what virtual process can do. 

avc: denied { setrlimit } for comm="virtual" egid=0 euid=0 
exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 
pid=17621 scontext=system_u:system_r:postfix_master_t:s0 sgid=0 
subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=process 
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0

Also i suppose should be dedicated label for virtual mail, because after i 
build module to allow sertlimit i experienced denials on { search } of virtual 
mailbox. Then i tried to move/label mailboxes as home dir content also without 
success.

avc: denied { search } for comm="virtual" cwd="/var/spool/postfix" dev=dm-3 
egid=500 euid=500 exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=500 
fsuid=500 gid=0 item=0 items=1 
name="/var/spool/mail/vmail/domains/digit-all.pl/admin/tmp/1181442754.P28071.warlord.digit-all.pl" 
obj=system_u:object_r:etc_t:s0 pid=28071 
scontext=root:system_r:postfix_master_t:s0 sgid=0 
subj=root:system_r:postfix_master_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.4.6-74.fc6

How reproducible:
Always with virtual transport enabled.

Steps to Reproduce:
1. Enable virtual transport in postfix configuration
2. Try to send message to user i virtual map
  
Actual results:

Postfix cannot deliver message

Expected results:

Deliver mail to virtual user/mailbox

Additional info:
Comment 1 Daniel Walsh 2007-06-13 13:42:20 UTC 
Just want to verify that this is all the avc messages you are seeing.  Did you
put the machine into permissive mode and did it work.

setenforce 0
Test
setenforce 1
Comment 2 Rafał Dutko 2007-06-13 15:08:12 UTC 
Created attachment 156887 [details]
AVC denials log

I did test as you recommend, results in attachment. Now I'm running postfix
with postfix_disable_trans 1 to make things work.
Comment 3 Daniel Walsh 2007-06-14 12:53:58 UTC 
If you execute

chcon -t postfix_local_exec_t /usr/libexec/postfix/virtual

Does it work properly?
Comment 4 Rafał Dutko 2007-06-14 13:23:58 UTC 
Still didn't work, denials are different, log will be attached. Also i did 
test with setenforce 0 to have view what is missing - log attached.
Comment 5 Rafał Dutko 2007-06-14 13:25:12 UTC 
Created attachment 156992 [details]
Denials log after chcon -t postfix_local_exec_t
Comment 6 Rafał Dutko 2007-06-14 13:25:39 UTC 
Created attachment 156993 [details]
Denials log after chcon -t postfix_local_exec_t and setenforce 0
Comment 7 John Villalovos 2007-06-19 03:20:28 UTC 
I see something similar.  The virtual program won't work for me.

# sealert -l foo
Summary
    SELinux is preventing /usr/libexec/postfix/virtual (postfix_master_t)
    "search" to / (home_root_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/postfix/virtual. It is not
    expected that this access is required by /usr/libexec/postfix/virtual and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Additional Information

Source Context                system_u:system_r:postfix_master_t
Target Context                system_u:object_r:home_root_t
Target Objects                / [ dir ]
Affected RPM Packages         postfix-2.3.3-2
                              [application]filesystem-2.4.0-1.el5.centos
                              [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Alert Count                   4103
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="virtual" dev=sdb1 egid=5000 euid=5000
exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=5000 fsuid=5000 gid=0 items=0
name="/" pid=27341 scontext=system_u:system_r:postfix_master_t:s0 sgid=0
subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Comment 8 Daniel Walsh 2007-06-19 12:25:15 UTC 
Fixed in selinux-policy-2.6.4-17
Comment 9 Rafał Dutko 2007-06-19 18:26:20 UTC 
This policy version will be applied to fc6 or is only for f7 ?
Comment 10 Daniel Walsh 2007-06-19 19:05:19 UTC 
Once I have it right on FC7 I will back port to fc6
Comment 11 Daniel Walsh 2007-08-22 14:02:58 UTC 
Closed as all fixes are in the current release