Bug 627208
| Summary: | postfix_local_t cannot read usr_t files | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joel Uckelman <uckelman> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-51.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-08-31 06:39:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Miroslav add files_read_usr_files(postfix_$1_t) to `postfix_domain_template' selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 I tested selinux-policy-3.7.19-51.fc13 without my custom module. It works. You guys are to be commended for your turnaround time on this---less than four hours! This is one of the reasons I love Fedora. selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The postfix_local_t domain cannot read files in the usr_t context. One of the useful things which the postfix local delivery daemon (which runs in the postfix_local_t domain) can do is pipe mail sent to a local address to a script. If that script happens to be a Perl script which in turn loads some Perl modules, those modules will likely live under /usr/share/perl5 and have the usr_t context. If postfix_local_t lacks permission to read these files, then such scripts will fail. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-47.fc13.noarch How reproducible: Always. Steps to Reproduce: 1. Use postfix for delivering your mail. 2. Add an alias to /etc/aliases mapping some address to a Perl script. 3. Load some modules in that script, e.g., "use LWP::UserAgent;". 4. Send some mail to the address. Actual results: Various AVCs. Expected results: No AVCs. Additional info: I worked around this problem by adding the following policy module: module local 1.0; require { type postfix_local_t; type usr_t; class file { getattr read open ioctl }; } #============= postfix_local_t ============== allow postfix_local_t usr_t:file { getattr read open ioctl }; This was sufficient for my particular script to work properly.