Bug 720869
| Summary: | SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | DAKSH <abhijit4daksh> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:36a4a94679b5405c473c1e3c81564346b4cdfe513d935caeb7e00e179938fce0 | ||
| Fixed In Version: | selinux-policy-3.9.16-34.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-18 22:32:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
/var/spool/postfix/public/pickup is mislabeled. What does # ls -dZ /var/spool/postfix/public # restorecon -R -v /var/spool/postfix/public will fix it. ls -dZ /var/spool/postfix/public showing this.
drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public
I tried with restorecon -R -v /var/spool/postfix/public
Now I got this
ELinux is preventing /usr/libexec/postfix/qmgr from add_name access on the directory 7.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that qmgr should be allowed add_name access on the 7 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qmgr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:postfix_qmgr_t:s0
Target Context system_u:object_r:postfix_spool_maildrop_t:s0
Target Objects 7 [ dir ]
Source qmgr
Source Path /usr/libexec/postfix/qmgr
Port <Unknown>
Host localhost
Source RPM Packages postfix-2.8.3-1.fc15
Target RPM Packages
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count 1
First Seen Wed 13 Jul 2011 07:09:15 PM IST
Last Seen Wed 13 Jul 2011 07:09:15 PM IST
Local ID 43e292ee-2b29-4410-92c8-4a4c94acfe22
Raw Audit Messages
type=AVC msg=audit(1310564355.260:94): avc: denied { add_name } for pid=2821 comm="qmgr" name="7" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=SYSCALL msg=audit(1310564355.260:94): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fa1cde2b7e0 a1=1c0 a2=ffffffffffffff80 a3=7ffff79c8160 items=0 ppid=1488 pid=2821 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)
Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,add_name
audit2allow
#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;
audit2allow -R
#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;
Yes, this is known issue. You can execute # semanage permissive -a postfix_qmgr_t as workaround for now. Will make postfix_qmgr_t domain permissive. It's driving me crazy each and every minutes sealert appearing. But can't take the risk to disable selinux. Now I am getting this
SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory /var/lib/mysql.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that smtpd should be allowed search access on the mysql directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smtpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:postfix_smtpd_t:s0
Target Context system_u:object_r:mysqld_db_t:s0
Target Objects /var/lib/mysql [ dir ]
Source smtpd
Source Path /usr/libexec/postfix/smtpd
Port <Unknown>
Host localhost
Source RPM Packages postfix-2.8.3-1.fc15
Target RPM Packages mysql-server-5.5.13-2.fc15
Policy RPM selinux-policy-3.9.16-32.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count 2
First Seen Wed 13 Jul 2011 09:27:20 PM IST
Last Seen Wed 13 Jul 2011 09:30:25 PM IST
Local ID 982a0741-2118-43d8-97a1-5aa750f29768
Raw Audit Messages
type=AVC msg=audit(1310572825.293:289): avc: denied { search } for pid=12021 comm="smtpd" name="mysql" dev=sda8 ino=399311 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
type=SYSCALL msg=audit(1310572825.293:289): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffbf49a6f0 a2=6e a3=7fffbf49a220 items=0 ppid=12016 pid=12021 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
Hash: smtpd,postfix_smtpd_t,mysqld_db_t,dir,search
audit2allow
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;
audit2allow -R
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;
Are you mailing something out of mysqld_db_t? no actually I am setting up postfix for virtual mailbox with mysql if you execute # semanage permissive -a postfix_smtpd_t which avc msgs are you getting then? I did after I posted last comment but selinux again pointing on that postfix_qmgr_t so I tried again semanage semanage permissive -a postfix_qmgr_t than again selinux pointing on postfix_smtpd_t after semanage postfix_smtpd_t then again postfix_qmgr_t. Practically it's turning clockwise. I think this is a bug(may be I do not much about linux development and selinux) is there any way to fix it? Well, this command won't fix it. It makes a domain as permissive domain. So a service will work and we will see avc msgs. Which is what I would like to see. so what I suppose to do. I am asking because may be I am using fedora since fedora core 8 but i am very much new to hosting or server administration. Can you tell me what should I do know? trying with semanage permissive -a postfix_t Fixed in selinux-policy-3.9.16-34.fc15 Please give me your output of # semanage permissive -l |grep postfix semanage permissive -l |grep postfix /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. I have created at least 10 local policies to work with. Till now from tomorrow Sealeart has not shown up yet. You need to run this command as root su -c 'semanage permissive -l |grep postfix' I am just building a new F15 policy which should fix your issues. The new packages are available from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=252982 Thanks Mirosalv. I really appreciate your help selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 Package selinux-policy-3.9.16-34.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that master should be allowed read access on the pickup fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep master /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_master_t:s0 Target Context system_u:object_r:postfix_spool_t:s0 Target Objects /var/spool/postfix/public/pickup [ fifo_file ] Source master Source Path /usr/libexec/postfix/master Port <Unknown> Host (removed) Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 13 Jul 2011 08:48:32 AM IST Last Seen Wed 13 Jul 2011 08:48:32 AM IST Local ID 80aab5df-1ed5-4b07-a3ec-ca681576932a Raw Audit Messages type=AVC msg=audit(1310527112.976:158): avc: denied { read } for pid=7887 comm="master" name="pickup" dev=sda8 ino=786514 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1310527112.976:158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3b8bc1e260 a1=802 a2=0 a3=7fff18c32a60 items=0 ppid=1 pid=7887 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=master exe=/usr/libexec/postfix/master subj=system_u:system_r:postfix_master_t:s0 key=(null) Hash: master,postfix_master_t,postfix_spool_t,fifo_file,read audit2allow #============= postfix_master_t ============== allow postfix_master_t postfix_spool_t:fifo_file read; audit2allow -R #============= postfix_master_t ============== allow postfix_master_t postfix_spool_t:fifo_file read;