Bug 720869

/var/spool/postfix/public/pickup is mislabeled. What does

# ls -dZ /var/spool/postfix/public



# restorecon -R -v /var/spool/postfix/public

will fix it.

ls -dZ /var/spool/postfix/public showing this.
drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public

I tried with restorecon -R -v /var/spool/postfix/public

Now I got this


ELinux is preventing /usr/libexec/postfix/qmgr from add_name access on the directory 7.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qmgr should be allowed add_name access on the 7 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qmgr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_qmgr_t:s0
Target Context                system_u:object_r:postfix_spool_maildrop_t:s0
Target Objects                7 [ dir ]
Source                        qmgr
Source Path                   /usr/libexec/postfix/qmgr
Port                          <Unknown>
Host                          localhost
Source RPM Packages           postfix-2.8.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-32.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
                              Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 13 Jul 2011 07:09:15 PM IST
Last Seen                     Wed 13 Jul 2011 07:09:15 PM IST
Local ID                      43e292ee-2b29-4410-92c8-4a4c94acfe22

Raw Audit Messages
type=AVC msg=audit(1310564355.260:94): avc:  denied  { add_name } for  pid=2821 comm="qmgr" name="7" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


type=SYSCALL msg=audit(1310564355.260:94): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fa1cde2b7e0 a1=1c0 a2=ffffffffffffff80 a3=7ffff79c8160 items=0 ppid=1488 pid=2821 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)

Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,add_name

audit2allow

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;

audit2allow -R

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;

Yes, this is known issue.

You can execute

# semanage permissive -a postfix_qmgr_t

as workaround for now. Will make postfix_qmgr_t domain permissive.

It's driving me crazy each and every minutes sealert appearing. But can't take the risk to disable selinux.

Now I am getting this 

SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory /var/lib/mysql.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that smtpd should be allowed search access on the mysql directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smtpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:mysqld_db_t:s0
Target Objects                /var/lib/mysql [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           postfix-2.8.3-1.fc15
Target RPM Packages           mysql-server-5.5.13-2.fc15
Policy RPM                    selinux-policy-3.9.16-32.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
                              Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 13 Jul 2011 09:27:20 PM IST
Last Seen                     Wed 13 Jul 2011 09:30:25 PM IST
Local ID                      982a0741-2118-43d8-97a1-5aa750f29768

Raw Audit Messages
type=AVC msg=audit(1310572825.293:289): avc:  denied  { search } for  pid=12021 comm="smtpd" name="mysql" dev=sda8 ino=399311 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir


type=SYSCALL msg=audit(1310572825.293:289): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffbf49a6f0 a2=6e a3=7fffbf49a220 items=0 ppid=12016 pid=12021 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

Hash: smtpd,postfix_smtpd_t,mysqld_db_t,dir,search

audit2allow

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;

audit2allow -R

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;

Are you mailing something out of mysqld_db_t?

no actually I am setting up postfix for virtual mailbox with mysql

if you execute

# semanage permissive -a postfix_smtpd_t

which avc msgs are you getting then?

I did after I posted last comment but selinux again pointing on that postfix_qmgr_t so I tried again semanage semanage permissive -a postfix_qmgr_t
than again selinux pointing on postfix_smtpd_t after semanage postfix_smtpd_t then again postfix_qmgr_t.
Practically it's turning clockwise. I think this is a bug(may be I do not much about linux development and selinux) is there any way to fix it?

Well, this command won't fix it. It makes a domain as permissive domain. So a service will work and we will see avc msgs. Which is what I would like to see.

so what I suppose to do. I am asking because may be I am using fedora since fedora core 8 but i am very much new to hosting or server administration. Can you tell me what should I do know?

trying with semanage permissive -a postfix_t

Fixed in selinux-policy-3.9.16-34.fc15


Please give me your output of

# semanage permissive -l |grep postfix

semanage permissive -l |grep postfix
/usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.

I have created at least 10 local policies to work with. Till now from tomorrow Sealeart has not shown up yet.

You need to run this command as root

su -c 'semanage permissive -l |grep postfix'

I am just building a new F15 policy which should fix your issues.

The new packages are available from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=252982

Thanks Mirosalv.
I really appreciate your help

selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15

Package selinux-policy-3.9.16-34.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15
then log in and leave karma (feedback).

selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.