Bug 245605
Summary: | SELinux prevents postfix from accessing NFS files with use_nfs_home_dirs=1 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Andy Schofield <ajs> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 5.0 | CC: | ebenes |
Target Milestone: | --- | Keywords: | OtherQA |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 16:05:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Andy Schofield
2007-06-25 17:59:34 UTC
Fixed in selinux-policy-2.4.6-84 It does not seem to be fixed for me (in 2.4.6-98) More details: here are the avc errors when permissive mode is enabled. avc: denied { create } for comm="local" dev=0:12 egid=610 euid=3000 exe="/usr/libexec/postfix/local" exit=14 fsgid=610 fsuid=3000 gid=0 items=0 name="1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252 scontext=user_u:system_r:postfix_local_t:s0 sgid=0 subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file tcontext=user_u:object_r:nfs_t:s0 tty=(none) uid=0 avc: denied { unlink } for comm="local" dev=0:12 egid=610 euid=3000 exe="/usr/libexec/postfix/local" exit=0 fsgid=610 fsuid=3000 gid=0 items=0 name="1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252 scontext=user_u:system_r:postfix_local_t:s0 sgid=0 subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 avc: denied { getattr } for comm="local" dev=0:12 egid=610 euid=3000 exe="/usr/libexec/postfix/local" exit=0 fsgid=610 fsuid=3000 gid=0 items=0 name="1191265607.P6252.thp146.ph.bham.ac.uk" path="/home/sman/Maildir/tmp/1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252 scontext=user_u:system_r:postfix_local_t:s0 sgid=0 subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 avc: denied { write } for comm="local" dev=0:12 egid=610 euid=3000 exe="/usr/libexec/postfix/local" exit=443 fsgid=610 fsuid=3000 gid=0 items=0 name="1191265607.P6252.thp146.ph.bham.ac.uk" path="/home/sman/Maildir/tmp/1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252 scontext=user_u:system_r:postfix_local_t:s0 sgid=0 subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 Do you have the use_nfs_home_dirs boolean turned on ? setsebool -P use_nfs_home_dirs 1 I certainly do! # getsebool use_nfs_home_dirs use_nfs_home_dirs --> on What does sesearch -A -s postfix_local_t | grep nfs Show? It returned nothing (tried on two machines): [root@thp146 ~]# rpm -q selinux-policy selinux-policy-2.4.6-98.el5 [root@thp146 ~]# sesearch -A -s postfix_local_t | grep nfs [root@thp146 ~]# Do I need to relabel the filesystem or reboot on updating the policy? I have not done either Could you install selinux-policy-2.4.6-101.el5 and see if this works for you. http://people.redhat.com/dwalsh/SELinux/RHEL5/ Still no change. sesearch -A -s postfix_local_t | grep nfs gives nothing, and email is not delivered locally when enforcing is on. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Please note - this bug is still not fixed in selinux-policy-2.4.6-106 so don't include it in a maintenance release yet. Fixed in selinux-policy-2.4.6-107.el5 QE ack for RHEL5.2. Reproducer in comment 0. Andy, could you please try the new policy available at the link below and reply whether the new packages solve your problem? Thank you. The fix should be present in selinux-policy-2.4.6-107 available here: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ It still does not seem to be fixed in selinux-policy-2.4.6-107 sesearch -A -s postfix_local_t | grep nfs gives nothing, and email is not delivered locally when enforcing is on. # getsebool use_nfs_home_dirs use_nfs_home_dirs --> on The audit log reveals the following when postfix tries to deliver an email to a maildir mounted on an NFS file system. type=AVC msg=audit(1199967073.916:3668): avc: denied { search } for pid=27053 comm="local" name="" dev=0:22 ino=55410689 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1199967073.916:3668): arch=40000003 syscall=196 success=no exit=-13 a0=8eebe50 a1=bf9596b0 a2=5ecff4 a3=3 items=0 ppid=2158 pid=27053 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=600 sgid=0 fsgid=600 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1199967073.917:3669): avc: denied { search } for pid=27053 comm="local" name="" dev=0:22 ino=55410689 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1199967073.917:3669): arch=40000003 syscall=5 success=no exit=-13 a0=8eeba60 a1=c1 a2=180 a3=0 items=0 ppid=2158 pid=27053 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=600 sgid=0 fsgid=600 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1199967074.024:3670): avc: denied { search } for pid=27053 comm="local" name="" dev=0:22 ino=38551553 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1199967074.024:3670): arch=40000003 syscall=196 success=no exit=-13 a0=8eeae40 a1=bf958f90 a2=5ecff4 a3=3 items=0 ppid=2158 pid=27053 auid=4294967295 uid=0 gid=0 euid=3000 suid=0 fsuid=3000 egid=610 sgid=0 fsgid=610 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1199967074.056:3671): avc: denied { search } for pid=27053 comm="local" name="" dev=0:22 ino=38551553 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1199967074.056:3671): arch=40000003 syscall=5 success=no exit=-13 a0=8edb8c8 a1=c1 a2=180 a3=0 items=0 ppid=2158 pid=27053 auid=4294967295 uid=0 gid=0 euid=3000 suid=0 fsuid=3000 egid=610 sgid=0 fsgid=610 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) Anything else I can do to help diagnose this? Fixed in selinux-policy-2.4.6-113.el5 Please try this one. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ No - it still does not seem to be working (obviously I have switched use_nfs_home_dirs to on). The sealert is for read access but postfix will need to write and search too: Summary SELinux prevented /usr/libexec/postfix/local from reading files stored on a NFS filesytem. Detailed Description SELinux prevented /usr/libexec/postfix/local from reading files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. /usr/libexec/postfix/local attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured /usr/libexec/postfix/local to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Allowing Access Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" The following command will allow this access: setsebool -P use_nfs_home_dirs=1 Additional Information Source Context system_u:system_r:postfix_local_t Target Context system_u:object_r:nfs_t Target Objects [ dir ] Affected RPM Packages postfix-2.3.3-2 [application]filesystem-2.4.0-1.el5.centos [target] Policy RPM selinux-policy-2.4.6-113.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.use_nfs_home_dirs Host Name thp147.XXXXX Platform Linux thp147.XXXXX 2.6.18-53.1.4.el5 #1 SMP Fri Nov 30 00:45:16 EST 2007 i686 i686 Alert Count 186 Line Numbers Raw Audit Messages avc: denied { search } for comm="local" dev=0:22 egid=610 euid=3000 exe="/usr/libexec/postfix/local" exit=-13 fsgid=610 fsuid=3000 gid=0 items=0 name="" pid=2232 scontext=system_u:system_r:postfix_local_t:s0 sgid=0 subj=system_u:system_r:postfix_local_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 Fixed in selinux-policy-2.4.6-114.el5 Ok try 114. Now it looks like it is working! I have just done a quick test with 114 on one of the client machines and email is now being delivered by postfix locally to an NFS mounted home directory when selinux is enforcing. If I notice any further problems I will report back. Many thanks. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |