Bug 326631
Summary: | targeted policy prevents postcat from working | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Andreas Thienemann <athienem> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 5.0 | CC: | dwalsh, ebenes | ||||
Target Milestone: | --- | Keywords: | OtherQA | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-05-21 16:05:47 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Andreas Thienemann
2007-10-10 17:08:33 UTC
I am not sure what directory this is trying to write to? The directory name is tmp, but it is labeled user_home_t? Do you have a tmp directory in a homedirectory or is your /tmp labeled user_home_t? ls -lZd /tmp /tmp should be labeled tmp_t. restorecon /tmp Created attachment 224291 [details]
strace log
Please see the attached strace log.
/tmp is correctly labled as system_u:object_r:tmp_t
Mhm. I have the feeling the audit messages posted above are misleading and related to something else I just tried it again: postcat with enforcing enabled: no output, no audit log message however. postcat with enforcing disabled: normal postcat output. ? ? ? ? I am now thinking that this should not run as postfix at all. If you just chcon -t bin_t PATHTOPOSTCAT Does everything work? Since this is just a user app and not going to be run by confined apps I see no reason to add the postfix context to it. Changing the context to bin_t looks better. The same problem exists with /usr/sbin/postmap when querying existing maps: postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr will exhibit the same problem as postcat when running with setenforce 1. What avc's do you see with this command? none whatsoever: [root@relay01 ~]# ls -alZ /usr/sbin/postmap -rwxr-xr-x root root system_u:object_r:postfix_map_exec_t /usr/sbin/postmap [root@relay01 ~]# getenforce Enforcing [root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr [root@relay01 ~]# setenforce 0 [root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr REJECT Invalid MX for receipient domain. (127.0.0.0/8 localnet) [root@relay01 ~]# dmesg | tail -n 2 audit(1192209107.803:48): enforcing=1 old_enforcing=0 auid=4294967295 audit(1192209169.022:49): enforcing=0 old_enforcing=1 auid=4294967295 [root@relay01 ~]# Fixed in selinux-policy-2.4.6-107 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. QE ack for RHEL5.2. Reproducer in comment 0. [root@relay01 ~]# postcat -q E463148BD0|head -1 *** ENVELOPE RECORDS hold/E463148BD0 *** [root@relay01 ~]# Problems seems to be fixed in selinux-policy-2.4.6-107. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html |