Bug 248699
| Summary: | Problems with postfix and amavisd | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Paul Thompson <paulthompson> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-08-22 14:11:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-2.6.4-29.fc7 Closing as fixes are in the current release |
Description of problem: Installation of amavisd (& clamav) prompts several seLinux errors preventing correct operation Version-Release number of selected component (if applicable): amavisd-new.noarch 2.5.1-1.fc7 installed clamav.i386 0.90.2-1.fc7 installed clamav-data.i386 0.90.2-1.fc7 installed clamav-filesystem.i386 0.90.2-1.fc7 installed clamav-lib.i386 0.90.2-1.fc7 installed clamav-server.i386 0.90.2-1.fc7 installed clamav-server-sysv.i386 0.90.2-1.fc7 installed clamav-update.i386 0.90.2-1.fc7 installed postfix.i386 2:2.4.3-2.fc7 installed selinux-policy.noarch 2.6.4-26.fc7 installed selinux-policy-targeted.noarch 2.6.4-26.fc7 installed How reproducible: Send any email to mail server Steps to Reproduce: 1. Send any email to mail server 2. 3. Actual results: The following 3 seLinux error reports that prevent the system from receiving mail Summary SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "sys_chroot" to <Unknown> (postfix_smtpd_t). Detailed Description SELinux denied access requested by /usr/libexec/postfix/smtpd. It is not expected that this access is required by /usr/libexec/postfix/smtpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context root:system_r:postfix_smtpd_t Target Context root:system_r:postfix_smtpd_t Target Objects None [ capability ] Affected RPM Packages postfix-2.4.3-2.fc7 [application] Policy RPM selinux-policy-2.6.4-26.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.catchall Host Name sally.thompson Platform Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 7 First Seen Tue 17 Jul 2007 06:21:26 PM BST Last Seen Wed 18 Jul 2007 05:04:34 AM BST Local ID a5023033-72b3-4ab3-a8ce-7df514fe4a3c Line Numbers Raw Audit Messages avc: denied { sys_chroot } for comm="smtpd" egid=89 euid=0 exe="/usr/libexec/postfix/smtpd" exit=0 fsgid=89 fsuid=0 gid=89 items=0 pid=15466 scontext=root:system_r:postfix_smtpd_t:s0 sgid=89 subj=root:system_r:postfix_smtpd_t:s0 suid=0 tclass=capability tcontext=root:system_r:postfix_smtpd_t:s0 tty=(none) uid=0 Summary SELinux is preventing /usr/sbin/clamd (clamd_t) "search" to amavisd (amavis_var_run_t). Detailed Description SELinux denied access requested by /usr/sbin/clamd. It is not expected that this access is required by /usr/sbin/clamd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for amavisd, restorecon -v amavisd If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context root:system_r:clamd_t Target Context system_u:object_r:amavis_var_run_t Target Objects amavisd [ dir ] Affected RPM Packages clamav-server-0.90.2-1.fc7 [application] Policy RPM selinux-policy-2.6.4-26.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name sally.thompson Platform Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 1 First Seen Tue 17 Jul 2007 06:16:51 PM BST Last Seen Tue 17 Jul 2007 06:16:51 PM BST Local ID 59117600-886c-4597-b00c-72babbd77ab7 Line Numbers Raw Audit Messages avc: denied { search } for comm="clamd.amavisd" dev=dm-0 egid=492 euid=493 exe="/usr/sbin/clamd" exit=-13 fsgid=492 fsuid=493 gid=492 items=0 name="amavisd" pid=11586 scontext=root:system_r:clamd_t:s0 sgid=492 subj=root:system_r:clamd_t:s0 suid=493 tclass=dir tcontext=system_u:object_r:amavis_var_run_t:s0 tty=(none) uid=493 Summary SELinux is preventing /usr/bin/clamscan (clamscan_t) "search" to amavisd (amavis_spool_t). Detailed Description SELinux denied access requested by /usr/bin/clamscan. It is not expected that this access is required by /usr/bin/clamscan and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for amavisd, restorecon -v amavisd If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context root:system_r:clamscan_t Target Context system_u:object_r:amavis_spool_t Target Objects amavisd [ dir ] Affected RPM Packages clamav-0.90.2-1.fc7 [application] Policy RPM selinux-policy-2.6.4-26.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name sally.thompson Platform Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 5 First Seen Tue 17 Jul 2007 05:45:28 PM BST Last Seen Tue 17 Jul 2007 06:14:45 PM BST Local ID ccb2bb92-400f-426f-8cf7-6bf1c5669dc5 Line Numbers Raw Audit Messages avc: denied { search } for comm="clamscan" dev=dm-0 egid=492 euid=493 exe="/usr/bin/clamscan" exit=-13 fsgid=492 fsuid=493 gid=492 items=0 name="amavisd" pid=11606 scontext=root:system_r:clamscan_t:s0 sgid=492 subj=root:system_r:clamscan_t:s0 suid=493 tclass=dir tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=493 Expected results: No seLinux error reports - mail receipt to be processed successfully Additional info: Generated the following local policy to permit access: module local 1.0; require { type pppd_t; type amavis_var_run_t; type postfix_showq_t; type amavis_spool_t; type pppd_var_run_t; type postfix_smtpd_t; type clamd_t; type clamscan_t; type postfix_master_t; class capability sys_chroot; class dir search; class file { read write }; } #============= clamd_t ============== allow clamd_t amavis_var_run_t:dir search; #============= clamscan_t ============== allow clamscan_t amavis_spool_t:dir search; #============= postfix_showq_t ============== allow postfix_showq_t postfix_master_t:file read; #============= postfix_smtpd_t ============== allow postfix_smtpd_t self:capability sys_chroot;