Bug 719261

Summary:	SELinux policy forbidds resending of queued e-mails in Postfix mail queue
Product:	Red Hat Enterprise Linux 6	Reporter:	Robert Scheck <redhat-bugzilla>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	high	Docs Contact:
Priority:	medium
Version:	6.1	CC:	dwalsh, jskarvad, mgrepl, mmalik, rdassen, robert.scheck, syeghiay
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-104.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-12-06 10:09:01 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert Scheck 2011-07-06 09:31:41 UTC

Description of problem:
1. iptables -I OUTPUT -p tcp --dport 25 -j REJECT # or similar
2. Send e-mail via local postfix installation to outside
3. Wait till the e-mail is queued in local mail queue of Postfix
4. Remove previously set iptables rule again
5. postsuper -r ALL
6. See AVC denied in /var/log/audit/audit.log

Furthermore, I do not see a helpful boolean that could be switched:

$ getsebool -a | grep postfix
allow_postfix_local_write_mail_spool --> on
$

Version-Release number of selected component (if applicable):
postfix-2.6.6-2.2.el6_1.x86_64
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch

How reproducible:
Everytime, see above.

Actual results:
SELinux policy forbidds resending of queued e-mails in Postfix mail queue.

Expected results:
Working, no AVC denieds.

Comment 1 Robert Scheck 2011-07-06 09:32:24 UTC

type=AVC msg=audit(1309944322.176:168768): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944322.176:168769): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944322.176:168770): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/239DD5FA7C" dev=sda1 ino=391804 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.945:168772): avc:  denied  { getattr } for  pid=12396 comm="pickup" path="/var/spool/postfix/maildrop/659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.945:168773): avc:  denied  { read } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.945:168773): avc:  denied  { open } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.984:168774): avc:  denied  { unlink } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.984:168775): avc:  denied  { getattr } for  pid=12396 comm="pickup" path="/var/spool/postfix/maildrop/1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.984:168776): avc:  denied  { read } for  pid=12396 comm="pickup" name="1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.984:168776): avc:  denied  { open } for  pid=12396 comm="pickup" name="1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file

Comment 3 Robert Scheck 2011-07-06 09:33:44 UTC

Sorry, full output from audit.log here:

type=AVC msg=audit(1309944322.176:168768): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944322.176:168768): arch=c000003e syscall=6 success=no exit=-13 a0=7f709fd13dd0 a1=7fff6a4223b8 a2=7fff6a4223b8 a3=7fff6a4220b0 items=0 ppid=12301 pid=12303 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944322.176:168769): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944322.176:168769): arch=c000003e syscall=6 success=no exit=-13 a0=7f709fd13dd0 a1=7fff6a4223b8 a2=7fff6a4223b8 a3=4000 items=0 ppid=12301 pid=12303 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944322.176:168770): avc:  denied  { getattr } for  pid=12303 comm="pickup" path="/var/spool/postfix/maildrop/239DD5FA7C" dev=sda1 ino=391804 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944322.176:168770): arch=c000003e syscall=6 success=no exit=-13 a0=7f709fd13dd0 a1=7fff6a4223b8 a2=7fff6a4223b8 a3=4000 items=0 ppid=12301 pid=12303 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=MAC_STATUS msg=audit(1309944330.506:168771): enforcing=0 old_enforcing=1 auid=0 ses=242
type=SYSCALL msg=audit(1309944330.506:168771): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff0898c480 a2=1 a3=fffffff8 items=0 ppid=11124 pid=12309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=242 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1309944339.945:168772): avc:  denied  { getattr } for  pid=12396 comm="pickup" path="/var/spool/postfix/maildrop/659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944339.945:168772): arch=c000003e syscall=6 success=yes exit=0 a0=7f29ecca3dd0 a1=7fffe7ece8e8 a2=7fffe7ece8e8 a3=7fffe7ece5e0 items=0 ppid=12394 pid=12396 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944339.945:168773): avc:  denied  { read } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.945:168773): avc:  denied  { open } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944339.945:168773): arch=c000003e syscall=2 success=yes exit=10 a0=7f29ecca3f90 a1=800 a2=0 a3=74 items=0 ppid=12394 pid=12396 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944339.984:168774): avc:  denied  { unlink } for  pid=12396 comm="pickup" name="659885FAD4" dev=sda1 ino=391892 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944339.984:168774): arch=c000003e syscall=87 success=yes exit=0 a0=7f29ecca3f90 a1=ffffffff a2=0 a3=7fffe7ece560 items=0 ppid=12394 pid=12396 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944339.984:168775): avc:  denied  { getattr } for  pid=12396 comm="pickup" path="/var/spool/postfix/maildrop/1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944339.984:168775): arch=c000003e syscall=6 success=yes exit=0 a0=7f29ecca3dd0 a1=7fffe7ece8e8 a2=7fffe7ece8e8 a3=7fffe7ece560 items=0 ppid=12394 pid=12396 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309944339.984:168776): avc:  denied  { read } for  pid=12396 comm="pickup" name="1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1309944339.984:168776): avc:  denied  { open } for  pid=12396 comm="pickup" name="1D6F75FAC5" dev=sda1 ino=391877 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309944339.984:168776): arch=c000003e syscall=2 success=yes exit=10 a0=7f29ecca6590 a1=800 a2=0 a3=74 items=0 ppid=12394 pid=12396 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=242 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)

Comment 4 Robert Scheck 2011-07-06 09:41:07 UTC

I've cross-filed this issue as Service Request 00503445.

Comment 5 Daniel Walsh 2011-07-06 19:42:51 UTC

If you 

# chcon -Rt postfix_spool_maildrop_t  /var/spool/postfix/deferred/

Does the problem go away?

Comment 6 Daniel Walsh 2011-07-06 19:44:25 UTC

That label is in selinux-policy-3.7.19-102.el6

So I am marking this as modified.

Comment 7 Robert Scheck 2011-07-06 19:54:08 UTC

No, that does not solve the issue here.

Comment 8 Robert Scheck 2011-07-06 19:55:06 UTC

type=AVC msg=audit(1309981995.913:781): avc:  denied  { getattr } for  pid=5506 comm="pickup" path="/var/spool/postfix/maildrop/F24C89EC7B" dev=sda1 ino=650363 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309981995.913:781): arch=c000003e syscall=6 success=no exit=-13 a0=7f5762354e60 a1=7fff64189468 a2=7fff64189468 a3=7fff64189160 items=0 ppid=5504 pid=5506 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1309982006.020:782): table=filter family=2 entries=101
type=SYSCALL msg=audit(1309982006.020:782): arch=c000003e syscall=54 success=yes exit=0 a0=3 a1=0 a2=40 a3=2720d50 items=0 ppid=5368 pid=5511 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=124 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1309982010.037:783): avc:  denied  { getattr } for  pid=5598 comm="pickup" path="/var/spool/postfix/maildrop/F24C89EC7B" dev=sda1 ino=650363 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309982010.037:783): arch=c000003e syscall=6 success=no exit=-13 a0=7f6beb594e60 a1=7fff803a6688 a2=7fff803a6688 a3=7fff803a6380 items=0 ppid=5596 pid=5598 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309982010.037:784): avc:  denied  { read } for  pid=5599 comm="qmgr" name="deferred" dev=sda1 ino=524859 scontext=unconfined_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1309982010.037:784): arch=c000003e syscall=2 success=no exit=-13 a0=7f37c02233a0 a1=90800 a2=646572 a3=19 items=0 ppid=5596 pid=5599 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=unconfined_u:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1309982022.705:785): avc:  denied  { getattr } for  pid=5687 comm="pickup" path="/var/spool/postfix/maildrop/F24C89EC7B" dev=sda1 ino=650363 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309982022.705:785): arch=c000003e syscall=6 success=no exit=-13 a0=7fc3186d6e60 a1=7fffd259aea8 a2=7fffd259aea8 a3=7fffd259aba0 items=0 ppid=5685 pid=5687 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309982022.706:786): avc:  denied  { read } for  pid=5688 comm="qmgr" name="deferred" dev=sda1 ino=524859 scontext=unconfined_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1309982022.706:786): arch=c000003e syscall=2 success=no exit=-13 a0=7f022a08c3a0 a1=90800 a2=646572 a3=19 items=0 ppid=5685 pid=5688 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=unconfined_u:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1309982063.431:787): avc:  denied  { getattr } for  pid=5781 comm="pickup" path="/var/spool/postfix/maildrop/F24C89EC7B" dev=sda1 ino=650363 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1309982063.431:787): arch=c000003e syscall=6 success=no exit=-13 a0=7fc207dcae60 a1=7ffffbb946d8 a2=7ffffbb946d8 a3=7ffffbb943d0 items=0 ppid=5779 pid=5781 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1309982063.431:788): avc:  denied  { read } for  pid=5782 comm="qmgr" name="deferred" dev=sda1 ino=524859 scontext=unconfined_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1309982063.431:788): arch=c000003e syscall=2 success=no exit=-13 a0=7f0ab56173a0 a1=90800 a2=646572 a3=19 items=0 ppid=5779 pid=5782 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=124 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=unconfined_u:system_r:postfix_qmgr_t:s0 key=(null)

Comment 9 Daniel Walsh 2011-07-06 21:40:24 UTC

Robert could you run 

restorecon -R -v /var/spool/postfix 

And see if you are still getting mislabeled files under maildrop directory.

Your right about the qmgr ones though, they are missing from RHEL6.2 policy.

Comment 10 Robert Scheck 2011-07-07 06:58:12 UTC

I tried "chcon -Rt postfix_spool_maildrop_t  /var/spool/postfix/defer" after
the "chcon -Rt postfix_spool_maildrop_t  /var/spool/postfix/deferred/" didn't
change anything. But that didn't change anything, too. Here's the output that
you requested with comment #9:

restorecon reset /var/spool/postfix/deferred context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred/F context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/defer context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/defer/F context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/defer/F/F24C89EC7B context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/maildrop/F24C89EC7B context system_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0

Comment 11 Daniel Walsh 2011-07-07 12:39:44 UTC

Ok lets try

# semanage fcontext -a -t postfix_spool_maildrop_t  '/var/spool/postfix/defer(/.*)?'
# restorecon -R -v /var/spool/postfix

Comment 12 Robert Scheck 2011-07-07 16:36:36 UTC

$ rpm -q selinux-policy
selinux-policy-3.7.19-93.el6.noarch
$

$ semanage fcontext -a -t postfix_spool_maildrop_t '/var/spool/postfix/defer(/.*)?'
$

$ restorecon -R -v /var/spool/postfix
restorecon reset /var/spool/postfix/defer context system_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/defer/6 context unconfined_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/defer/6/60D339ED85 context unconfined_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/defer/F context system_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/defer/F/F24C89EC7B context system_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
$

But Postfix is still unable to get the e-mail out:
postfix/pickup[8932]: warning: maildrop/60D339ED85: Permission denied

Audit log:
type=SYSCALL msg=audit(1310056418.355:3105): arch=c000003e syscall=1 success=yes exit=6133232 a0=4 a1=7fbd5189e000 a2=5d95f0 a3=7fff73e8c120 items=0 ppid=8837 pid=8838 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=231 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1310056442.384:3106): avc:  denied  { getattr } for  pid=8932 comm="pickup" path="/var/spool/postfix/maildrop/60D339ED85" dev=sda1 ino=650629 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1310056442.384:3106): arch=c000003e syscall=6 success=no exit=-13 a0=7f37ad863e60 a1=7fff99eb3488 a2=7fff99eb3488 a3=7fff99eb3180 items=0 ppid=8930 pid=8932 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=231 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)

Comment 13 Daniel Walsh 2011-07-07 17:24:08 UTC

How are those files getting into that directory with that label.  I thought they were being created in the defer or deferred directory and then mv'd to maildrop.

Comment 14 Robert Scheck 2011-07-07 19:16:24 UTC

I'm not a Postfix guru, thus here's a full reproducer:

1. Get a fresh RHEL 6.1 installation with SELinux enforced
2. yum install postfix mutt -y
3. service postfix start
4. iptables -I OUTPUT -p tcp --dport 25 -j REJECT
5. date | mutt -s Subject something
6. mailq  # repeat this until Postfix recognizes the connection refused
7. postsuper -r ALL
8. Have fun...

Comment 15 Daniel Walsh 2011-07-07 19:28:49 UTC

See if the postfix guys have any ideas?

Comment 16 Daniel Walsh 2011-07-07 19:31:49 UTC

We are seeing a problem with the contents of the /var/spool/postfix/maildrop
 directory are not getting the default label of  system_u:object_r:postfix_spool_maildrop_t:s0 

Which we would expect if the file was created in /var/spool/postfix/maildrop directory.  It looks like the contents is created somewhere else in /var/spool/postfix and mv'd or renamed to this directory.

Comment 17 Jaroslav Škarvada 2011-07-08 20:30:33 UTC

AFAIK it is moved from the /var/spool/postfix/deferred to /var/spool/postfix/maildrop on resend (in /var/spool/postfix/defer there is only log, no message). The following commands flushes my queue:

# postqueue -f
# estorecon -R -v /var/spool/postfix/maildrop/*
# postqueue -f

Comment 18 Jaroslav Škarvada 2011-07-08 20:36:29 UTC

(In reply to comment #17): 

# postsuper -r ALL
# restorecon -R -v /var/spool/postfix/maildrop/*
# postqueue -f

Comment 19 Jaroslav Škarvada 2011-07-08 22:35:15 UTC

It seems to only occur if re-queued via 'postsuper' which performs direct queue access and uses move operation:
> stat("deferred/1/10CDE1929E", {st_mode=S_IFREG|0700, st_size=586, ...}) = 0
> rename("deferred/1/10CDE1929E", "maildrop/10CDE1929E") = 0

If let on qmgr the message is delivered as expected after delay.

Comment 20 Miroslav Grepl 2011-07-11 13:01:02 UTC

(In reply to comment #17)
> AFAIK it is moved from the /var/spool/postfix/deferred to
> /var/spool/postfix/maildrop on resend (in /var/spool/postfix/defer there is
> only log, no message). The following commands flushes my queue:
> 
> # postqueue -f
> # estorecon -R -v /var/spool/postfix/maildrop/*
> # postqueue -f

Strange. Since we have


# matchpathcon /var/spool/postfix/deferred
/var/spool/postfix/deferred	system_u:object_r:postfix_spool_maildrop_t:s0

Jaroslav or postfix QA could you try to do steps to reproduce which Robert wrote.

Comment 21 Jaroslav Škarvada 2011-07-11 13:39:39 UTC

RHEL6.2-20110708.n.0
postfix-2.6.6-3.el6.x86_64
selinux-policy-3.7.19-102.el6.noarch

# ls -Z /var/spool/postfix/
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 active
drwx------. postfix root     system_u:object_r:postfix_spool_bounce_t:s0 bounce
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 corrupt
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 defer
drwx------. postfix root     system_u:object_r:postfix_spool_maildrop_t:s0 deferred
drwx------. postfix root     system_u:object_r:postfix_spool_flush_t:s0 flush
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 hold
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 incoming
drwx-wx---. postfix postdrop system_u:object_r:postfix_spool_maildrop_t:s0 maildrop
drwxr-xr-x. root    root     system_u:object_r:var_run_t:s0   pid
drwx------. postfix root     system_u:object_r:postfix_private_t:s0 private
drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 public
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 saved
drwx------. postfix root     system_u:object_r:postfix_spool_t:s0 trace

# iptables -I OUTPUT -p tcp --dport 25 -j REJECT
# date | sendmail jskarvad
# mailq

AVC appears:
type=AVC msg=audit(1310390726.417:53445): avc:  denied  { read } for  pid=2451 comm="qmgr" name="deferred" dev=dm-0 ino=533445 scontext=unconfined_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1310390726.417:53445): arch=c000003e syscall=2 success=no exit=-13 a0=7f836db546f0 a1=90800 a2=646572 a3=19 items=0 ppid=2288 pid=2451 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=unconfined_u:system_r:postfix_qmgr_t:s0 key=(null)

This is same as in bug 718268.

So I relabelled the /var/spool/postfix/deferred to the same label which Robert originally had:
# semanage fcontext -a -t postfix_spool_t '/var/spool/postfix/deferred(/.*)?'
# restorecon -R -v /var/spool/postfix
restorecon reset /var/spool/postfix/deferred context system_u:object_r:postfix_spool_maildrop_t:s0->system_u:object_r:postfix_spool_t:s0

Deleted all messages:
# postsuper -d ALL
postsuper: Deleted: 1 message

Retried again:
# date | sendmail jskarvad
# mailq (repeated until refused)
# iptables -D OUTPUT -p tcp --dport 25 -j REJECT
# postsuper -r ALL
postsuper: Requeued: 1 message
# postqueue -f (only used to speed things up)

Another AVC appears:
type=AVC msg=audit(1310391200.253:53459): avc:  denied  { getattr } for  pid=2290 comm="pickup" path="/var/spool/postfix/maildrop/5AAA38012C" dev=dm-0 ino=524588 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1310391200.253:53459): arch=c000003e syscall=6 success=no exit=-13 a0=7fdd16ccd140 a1=7fff090e0d18 a2=7fff090e0d18 a3=8028 items=0 ppid=2288 pid=2290 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1310391205.253:53460): avc:  denied  { getattr } for  pid=2290 comm="pickup" path="/var/spool/postfix/maildrop/5AAA38012C" dev=dm-0 ino=524588 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1310391205.253:53460): arch=c000003e syscall=6 success=no exit=-13 a0=7fdd16ccd140 a1=7fff090e0d18 a2=7fff090e0d18 a3=8028 items=0 ppid=2288 pid=2290 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)

Comment 22 Robert Scheck 2011-07-14 11:01:02 UTC

Reference mentioned in comment 4 referres to the issue on my employer's
servers, further cross-filing of this issue as Service Request 00506725
for a customer of my employer experiencing now the same.

Comment 23 Daniel Walsh 2011-07-14 14:02:56 UTC

We just pushed out a test version of selinux policy

selinux-policy-3.7.19-103.el6

onto people.redhat.com/dwalsh/SELinux/RHEL6

Could you try this.

Comment 24 Jaroslav Škarvada 2011-07-20 10:08:36 UTC

It still doesn't work for me

I used:
# rpm -q selinux-policy
selinux-policy-3.7.19-103.el6.noarch
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.7.19-103.el6.noarch

I run reproducer in permissive mode and I got the following AVCs:

# cat /var/log/audit/audit.log
type=AVC msg=audit(1311155076.957:23174): avc:  denied  { search } for  pid=2721 comm="cleanup" name="defer" dev=dm-0 ino=274990 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1311155076.957:23174): arch=c000003e syscall=87 success=no exit=-2 a0=7fba13e4b250 a1=0 a2=46 a3=7fff6ad7e3e0 items=0 ppid=2664 pid=2721 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=unconfined_u:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1311155080.295:23175): avc:  denied  { search } for  pid=2725 comm="bounce" name="defer" dev=dm-0 ino=274990 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1311155080.295:23175): arch=c000003e syscall=2 success=no exit=-2 a0=7fdff69623a0 a1=441 a2=180 a3=16 items=0 ppid=2664 pid=2725 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=unconfined_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1311155080.295:23176): avc:  denied  { getattr } for  pid=2725 comm="bounce" path="/var/spool/postfix/defer" dev=dm-0 ino=274990 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1311155080.295:23176): arch=c000003e syscall=4 success=yes exit=0 a0=7fdff6962620 a1=7fff21c1f430 a2=7fff21c1f430 a3=7fff21c1f1a0 items=0 ppid=2664 pid=2725 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=unconfined_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1311155080.296:23177): avc:  denied  { write } for  pid=2725 comm="bounce" name="defer" dev=dm-0 ino=274990 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1311155080.296:23177): avc:  denied  { add_name } for  pid=2725 comm="bounce" name="E" scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1311155080.296:23177): avc:  denied  { create } for  pid=2725 comm="bounce" name="E" scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1311155080.296:23177): arch=c000003e syscall=83 success=yes exit=0 a0=7fdff6962620 a1=1c0 a2=ffffffff a3=7fff21c1f1a0 items=0 ppid=2664 pid=2725 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=unconfined_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1311155080.296:23178): avc:  denied  { search } for  pid=2725 comm="bounce" name="E" dev=dm-0 ino=268414 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1311155080.296:23178): avc:  denied  { write } for  pid=2725 comm="bounce" name="E" dev=dm-0 ino=268414 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1311155080.296:23178): avc:  denied  { add_name } for  pid=2725 comm="bounce" name="E9D844187F" scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1311155080.296:23178): avc:  denied  { create } for  pid=2725 comm="bounce" name="E9D844187F" scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1311155080.296:23178): avc:  denied  { append open } for  pid=2725 comm="bounce" name="E9D844187F" dev=dm-0 ino=268416 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=SYSCALL msg=audit(1311155080.296:23178): arch=c000003e syscall=2 success=yes exit=11 a0=7fdff69623a0 a1=441 a2=180 a3=7fff21c1f1a0 items=0 ppid=2664 pid=2725 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=unconfined_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1311155080.296:23179): avc:  denied  { lock } for  pid=2725 comm="bounce" path="/var/spool/postfix/defer/E/E9D844187F" dev=dm-0 ino=268416 scontext=unconfined_u:system_r:postfix_bounce_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=SYSCALL msg=audit(1311155080.296:23179): arch=c000003e syscall=73 success=yes exit=0 a0=b a1=6 a2=6 a3=fffffffffffffff0 items=0 ppid=2664 pid=2725 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=unconfined_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1311155080.347:23180): avc:  denied  { create } for  pid=2667 comm="qmgr" name="E" scontext=unconfined_u:system_r:postfix_qmgr_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1311155080.347:23180): arch=c000003e syscall=83 success=yes exit=0 a0=7fd2220ab5d0 a1=1c0 a2=ffffffff a3=7fffacd0b9f0 items=0 ppid=2664 pid=2667 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=unconfined_u:system_r:postfix_qmgr_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1311155101.707:23181): table=filter family=2 entries=12
type=SYSCALL msg=audit(1311155101.707:23181): arch=c000003e syscall=54 success=yes exit=0 a0=3 a1=0 a2=40 a3=1ab4710 items=0 ppid=2701 pid=2729 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1311155115.166:23182): avc:  denied  { getattr } for  pid=2666 comm="pickup" path="/var/spool/postfix/maildrop/E9D844187F" dev=dm-0 ino=268415 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1311155115.166:23182): arch=c000003e syscall=6 success=yes exit=0 a0=7f0e14afae00 a1=7fffcbc2e518 a2=7fffcbc2e518 a3=8028 items=0 ppid=2664 pid=2666 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1311155115.166:23183): avc:  denied  { read } for  pid=2666 comm="pickup" name="E9D844187F" dev=dm-0 ino=268415 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=AVC msg=audit(1311155115.166:23183): avc:  denied  { open } for  pid=2666 comm="pickup" name="E9D844187F" dev=dm-0 ino=268415 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1311155115.166:23183): arch=c000003e syscall=2 success=yes exit=10 a0=7f0e14afaf60 a1=800 a2=0 a3=74 items=0 ppid=2664 pid=2666 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1311155115.228:23184): avc:  denied  { unlink } for  pid=2666 comm="pickup" name="E9D844187F" dev=dm-0 ino=268415 scontext=unconfined_u:system_r:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1311155115.228:23184): arch=c000003e syscall=87 success=yes exit=0 a0=7f0e14afaf60 a1=ffffffff a2=0 a3=0 items=0 ppid=2664 pid=2666 auid=501 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=unconfined_u:system_r:postfix_pickup_t:s0 key=(null)

# ausearch -m AVC | audit2allow

#============= postfix_bounce_t ==============
#!!!! The source type 'postfix_bounce_t' can write to a 'dir' of the following types:
# postfix_bounce_tmp_t, postfix_spool_bounce_t, postfix_spool_t

allow postfix_bounce_t postfix_spool_maildrop_t:dir { write search getattr create add_name };
allow postfix_bounce_t postfix_spool_maildrop_t:file { lock create open append };

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t postfix_spool_maildrop_t:dir search;

#============= postfix_pickup_t ==============
allow postfix_pickup_t postfix_spool_t:file { read getattr unlink open };

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir create;

Comment 25 Miroslav Grepl 2011-07-20 10:15:58 UTC

Try the latest policy selinux-policy-targeted-3.7.19-104.el6 which is available from brew.

Comment 26 Jaroslav Škarvada 2011-07-20 12:38:41 UTC

With selinux-policy-3.7.19-104.el6 it works like a charm. Thank you.

Comment 28 Robert Scheck 2011-08-06 13:51:05 UTC

selinux-policy-targeted-3.7.19-106.el6.noarch solves the problem for me. Thanks.

Comment 30 errata-xmlrpc 2011-12-06 10:09:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html