Bug 741718

Summary:	SELinux errors for bounced messages from PostFix
Product:	[Fedora] Fedora	Reporter:	Daniel Scott <dan>
Component:	selinux-policy-targeted	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Ben Levenson <benl>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	brovvnout+rh, cje, dwalsh
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.9.16-50.fc15	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-01-17 20:25:07 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Daniel Scott 2011-09-27 18:14:40 UTC

Description of problem:
Bounced mail messages are causing SELinux errors.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-38.fc15.noarch
postfix-2.8.4-2.fc15.i686

How reproducible:
Always

Steps to Reproduce:
1. Send mail with a problem which causes it to bounce
2.
3.
  
Actual results:

type=AVC msg=audit(1317146539.811:4502): avc:  denied  { getattr } for  pid=10794 comm="smtp" path="/var/spool/postfix/active/BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146539.812:4503): avc:  denied  { read write } for  pid=10794 comm="smtp" name="BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146540.841:4504): avc:  denied  { read write } for  pid=10861 comm="error" name="BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146541.865:4505): avc:  denied  { search } for  pid=10862 comm="bounce" name="defer" dev=dm-1 ino=791984 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


Expected results:
No errors

Additional info:

[root@fileserver2 ~]# ls -alZ /var/spool/postfix/active
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 .
drwxr-xr-x. root    root system_u:object_r:postfix_spool_t:s0 ..
[root@fileserver2 ~]#

Comment 1 Miroslav Grepl 2011-10-05 06:05:26 UTC

Fixed in selinux-policy-3.9.16-43.fc15

Comment 2 Brownout 2011-11-12 10:23:57 UTC

Back in Fedora 16, selinux-policy-3.10.0-55.fc16.

Comment 3 Miroslav Grepl 2011-11-14 13:45:11 UTC

What AVC msgs are you getting on Fedora16?

Comment 4 Brownout 2011-11-14 20:13:51 UTC

[71787.375389] type=1400 audit(1321298612.799:110): avc:  denied  { getattr } for  pid=13271 comm="smtp" path="/var/spool/postfix/active/73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.375581] type=1400 audit(1321298612.799:111): avc:  denied  { read write } for  pid=13271 comm="smtp" name="73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.387752] type=1400 audit(1321298612.811:112): avc:  denied  { getattr } for  pid=13273 comm="smtp" path="/var/spool/postfix/active/7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.387835] type=1400 audit(1321298612.811:113): avc:  denied  { read write } for  pid=13273 comm="smtp" name="7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.613555] forcedeth 0000:00:0a.0: irq 49 for MSI/MSI-X
[71788.399338] type=1400 audit(1321298613.823:114): avc:  denied  { read write } for  pid=13337 comm="error" name="73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71788.418050] type=1400 audit(1321298613.841:115): avc:  denied  { read write } for  pid=13338 comm="error" name="7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

Comment 5 Miroslav Grepl 2011-11-15 09:03:17 UTC

I added fixes to F16.

Comment 6 Fedora Update System 2011-12-14 13:39:37 UTC

selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15

Comment 7 Fedora Update System 2011-12-14 23:29:36 UTC

Package selinux-policy-3.9.16-50.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-01-17 20:25:07 UTC

selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.