Bug 720869
Summary: | SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | DAKSH <abhijit4daksh> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:36a4a94679b5405c473c1e3c81564346b4cdfe513d935caeb7e00e179938fce0 | ||
Fixed In Version: | selinux-policy-3.9.16-34.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-07-18 22:32:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
DAKSH
2011-07-13 03:27:06 UTC
/var/spool/postfix/public/pickup is mislabeled. What does # ls -dZ /var/spool/postfix/public # restorecon -R -v /var/spool/postfix/public will fix it. ls -dZ /var/spool/postfix/public showing this. drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public I tried with restorecon -R -v /var/spool/postfix/public Now I got this ELinux is preventing /usr/libexec/postfix/qmgr from add_name access on the directory 7. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qmgr should be allowed add_name access on the 7 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qmgr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_qmgr_t:s0 Target Context system_u:object_r:postfix_spool_maildrop_t:s0 Target Objects 7 [ dir ] Source qmgr Source Path /usr/libexec/postfix/qmgr Port <Unknown> Host localhost Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 13 Jul 2011 07:09:15 PM IST Last Seen Wed 13 Jul 2011 07:09:15 PM IST Local ID 43e292ee-2b29-4410-92c8-4a4c94acfe22 Raw Audit Messages type=AVC msg=audit(1310564355.260:94): avc: denied { add_name } for pid=2821 comm="qmgr" name="7" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=SYSCALL msg=audit(1310564355.260:94): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fa1cde2b7e0 a1=1c0 a2=ffffffffffffff80 a3=7ffff79c8160 items=0 ppid=1488 pid=2821 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null) Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,add_name audit2allow #============= postfix_qmgr_t ============== allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name; audit2allow -R #============= postfix_qmgr_t ============== allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name; Yes, this is known issue. You can execute # semanage permissive -a postfix_qmgr_t as workaround for now. Will make postfix_qmgr_t domain permissive. It's driving me crazy each and every minutes sealert appearing. But can't take the risk to disable selinux. Now I am getting this SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory /var/lib/mysql. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that smtpd should be allowed search access on the mysql directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smtpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_smtpd_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ dir ] Source smtpd Source Path /usr/libexec/postfix/smtpd Port <Unknown> Host localhost Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages mysql-server-5.5.13-2.fc15 Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Wed 13 Jul 2011 09:27:20 PM IST Last Seen Wed 13 Jul 2011 09:30:25 PM IST Local ID 982a0741-2118-43d8-97a1-5aa750f29768 Raw Audit Messages type=AVC msg=audit(1310572825.293:289): avc: denied { search } for pid=12021 comm="smtpd" name="mysql" dev=sda8 ino=399311 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=SYSCALL msg=audit(1310572825.293:289): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffbf49a6f0 a2=6e a3=7fffbf49a220 items=0 ppid=12016 pid=12021 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) Hash: smtpd,postfix_smtpd_t,mysqld_db_t,dir,search audit2allow #============= postfix_smtpd_t ============== allow postfix_smtpd_t mysqld_db_t:dir search; audit2allow -R #============= postfix_smtpd_t ============== allow postfix_smtpd_t mysqld_db_t:dir search; Are you mailing something out of mysqld_db_t? no actually I am setting up postfix for virtual mailbox with mysql if you execute # semanage permissive -a postfix_smtpd_t which avc msgs are you getting then? I did after I posted last comment but selinux again pointing on that postfix_qmgr_t so I tried again semanage semanage permissive -a postfix_qmgr_t than again selinux pointing on postfix_smtpd_t after semanage postfix_smtpd_t then again postfix_qmgr_t. Practically it's turning clockwise. I think this is a bug(may be I do not much about linux development and selinux) is there any way to fix it? Well, this command won't fix it. It makes a domain as permissive domain. So a service will work and we will see avc msgs. Which is what I would like to see. so what I suppose to do. I am asking because may be I am using fedora since fedora core 8 but i am very much new to hosting or server administration. Can you tell me what should I do know? trying with semanage permissive -a postfix_t Fixed in selinux-policy-3.9.16-34.fc15 Please give me your output of # semanage permissive -l |grep postfix semanage permissive -l |grep postfix /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. I have created at least 10 local policies to work with. Till now from tomorrow Sealeart has not shown up yet. You need to run this command as root su -c 'semanage permissive -l |grep postfix' I am just building a new F15 policy which should fix your issues. The new packages are available from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=252982 Thanks Mirosalv. I really appreciate your help selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 Package selinux-policy-3.9.16-34.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |