Bug 592752

Summary: Postfix can't chroot
Product: Red Hat Enterprise Linux 5 Reporter: David Kovalsky <dkovalsk>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.5CC: benl, jrieden, ksrot, mlichvar, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:49:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Kovalsky 2010-05-16 17:28:10 UTC 
I have configured postfix + amavis + clamav, but it doesn't work, because postfix can't chroot. 

type=AVC msg=audit(1274033642.497:2669): avc:  denied  { sys_chroot } for  pid=10323 comm="smtpd" capability=18 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=capability  

maillog gets filled with
May 16 20:16:04 services-ha-01 postfix/smtpd[10480]: fatal: chroot(/var/spool/postfix): Operation not permitted
May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: process /usr/libexec/postfix/smtpd pid 10480 exit status 1
May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


postfix-2.3.3-2
Comment 1 Daniel Walsh 2010-05-17 13:36:38 UTC 
This is allowed in RHEL6,  Miroslav can you add this permission.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Miroslav Grepl 2010-07-22 09:23:29 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 7 Karel Srot 2010-11-15 15:37:04 UTC 
Trying to reproduce this bug. As the first step I have configured various services from default master.cf to be chrooted (using http://www.wains.be/pub/postfix-chroot) and (after restorecon -R /var/spool/postfix/lib) I am getting following AVCs:

----
time->Mon Nov 15 16:30:38 2010
type=SYSCALL msg=audit(1289835038.190:83): arch=40000003 syscall=61 success=no exit=-1 a0=831e3a0 a1=c62a00 a2=d2cff4 a3=59 items=0 ppid=15929 pid=15932 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1289835038.190:83): avc:  denied  { sys_chroot } for  pid=15932 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability
----
time->Mon Nov 15 16:30:38 2010
type=SYSCALL msg=audit(1289835038.174:82): arch=40000003 syscall=61 success=no exit=-1 a0=933d3a0 a1=95ba00 a2=f75ff4 a3=59 items=0 ppid=15929 pid=15931 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1289835038.174:82): avc:  denied  { sys_chroot } for  pid=15931 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability

I think this should be also allowed. 
On the other hand, I can't see AVC from #c0, even with old selinux-policy.
Comment 8 Karel Srot 2010-11-16 10:15:46 UTC 
Got even more AVCs after sending an email (additional services have been executed). Maybe there should be a boolean for chrooted postfix. Still working on the avavis stuff.

[root@rhel5 ~]# ausearch -m avc
----
time->Tue Nov 16 10:13:19 2010
type=SYSCALL msg=audit(1289898799.613:33): arch=40000003 syscall=61 success=yes exit=0 a0=9ab43a8 a1=484a00 a2=d2fff4 a3=59 items=0 ppid=3500 pid=3502 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1289898799.613:33): avc:  denied  { sys_chroot } for  pid=3502 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:19 2010
type=SYSCALL msg=audit(1289898799.632:34): arch=40000003 syscall=61 success=yes exit=0 a0=8de23a8 a1=620a00 a2=8bbff4 a3=59 items=0 ppid=3500 pid=3503 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1289898799.632:34): avc:  denied  { sys_chroot } for  pid=3503 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.850:36): arch=40000003 syscall=61 success=yes exit=0 a0=84923e0 a1=e57a00 a2=4f1ff4 a3=59 items=0 ppid=3500 pid=3513 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=root:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1289898820.850:36): avc:  denied  { sys_chroot } for  pid=3513 comm="trivial-rewrite" capability=18 scontext=root:system_r:postfix_master_t:s0 tcontext=root:system_r:postfix_master_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.871:37): arch=40000003 syscall=61 success=yes exit=0 a0=8ce83a8 a1=0 a2=a4dff4 a3=a50c08 items=0 ppid=3500 pid=3514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="local" exe="/usr/libexec/postfix/local" subj=root:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1289898820.871:37): avc:  denied  { sys_chroot } for  pid=3514 comm="local" capability=18 scontext=root:system_r:postfix_local_t:s0 tcontext=root:system_r:postfix_local_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.826:35): arch=40000003 syscall=61 success=yes exit=0 a0=8f2d3a8 a1=330a00 a2=fa9ff4 a3=59 items=0 ppid=3500 pid=3512 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1289898820.826:35): avc:  denied  { sys_chroot } for  pid=3512 comm="cleanup" capability=18 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_cleanup_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.911:38): arch=40000003 syscall=61 success=yes exit=0 a0=82263a8 a1=362140 a2=5f1ff4 a3=59 items=0 ppid=3500 pid=3515 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=root:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1289898820.911:38): avc:  denied  { sys_chroot } for  pid=3515 comm="bounce" capability=18 scontext=root:system_r:postfix_bounce_t:s0 tcontext=root:system_r:postfix_bounce_t:s0 tclass=capability
Comment 9 David Kovalsky 2010-11-16 10:36:10 UTC 
I think chrooting should be enabled and boolean is not needed. 

Or is there any harm in allowing a service (postfix services) to chroot? It seems like a good security practice to cut down on the privs as much as possible.
Comment 10 Miroslav Grepl 2010-11-16 12:11:22 UTC 
I think we should just allow it in postfix_domain_template()


allow postfix_$1_t self:capability sys_chroot;
Comment 11 Karel Srot 2010-11-16 14:53:02 UTC 
Chroot should be probably enabled for all available postfix services. Looking into /usr/libexec/postfix/, following contexts are present:

postfix_bounce_exec_t postfix_cleanup_exec_t postfix_exec_t postfix_local_exec_t postfix_master_exec_t postfix_pickup_exec_t postfix_pipe_exec_t postfix_qmgr_exec_t postfix_showq_exec_t postfix_smtpd_exec_t postfix_smtp_exec_t postfix_virtual_exec_t

I am not sure about postfix_exec_t but all the rest should be postfix services from master.cf.
Comment 12 Miroslav Grepl 2010-11-16 15:09:40 UTC 
Karel,
could you test it with the latest policy (-273), which I have built before a while.
Comment 13 Karel Srot 2010-11-16 16:16:56 UTC 
Looks fine. No AVCs at all.
Comment 15 Jaromir Hradilek 2011-01-05 16:15:03 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
Comment 17 errata-xmlrpc 2011-01-13 21:49:38 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html