Bug 742213

Summary: Error between postfix's local and ddclient cache directory
Product: [Fedora] Fedora Reporter: Martí­n Marqués <martin.marques>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-48.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-04 02:36:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martí­n Marqués 2011-09-29 12:18:39 UTC 
Description of problem:

When executing ddclient I get this:

SELinux is preventing /usr/libexec/postfix/local from search access on the directory /var/cache/ddclient. For complete SELinux messages. run sealert -l 85b4b1b1-695a-45a8-a81f-f663f56bedbd

sealert -l says:

# sealert -l 85b4b1b1-695a-45a8-a81f-f663f56bedbd
SELinux is preventing /usr/libexec/postfix/local from search access on the directorio /var/cache/ddclient.

*****  Sugerencia de complemento catchall (100. confidence)  *****************

Siyou believe that local should be allowed search access on the ddclient directory by default.
Entoncesyou should report this as a bug.
You can generate a local policy module to allow this access.
Hacer
allow this access for now by executing:
# grep local /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dominick Grift 2011-09-29 17:35:16 UTC 
what does sealert -l 85b4b1b1-695a-45a8-a81f-f663f56bedbd return?

I gather you can reproduce this issue? Could you try it in permissive mode and enclose all the avc denials you are seeing?

setenforce 0
<reproduce the error>
ausearch -m avc -ts recent
setenforce 1
Comment 2 Martí­n Marqués 2011-10-02 23:19:20 UTC 
This happend when I tried to send a mail with amavis down (postfix tried to connect to the local amavis  via tcp and couldn't connect cause it's not up.
postfix's bounce counldn't write to /var/spool/postfix/defer/C and also couldn't get lock /var/spool/postfix/defer/C/CCC0F13E50B1

Here's ausearch.

# ausearch -m avc -ts recent
----
time->Sun Oct  2 20:07:08 2011
type=SYSCALL msg=audit(1317596828.953:3663): arch=c000003e syscall=2 success=yes exit=13 a0=7f94f0356be0 a1=441 a2=180 a3=1 items=0 ppid=1647 pid=25679 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=system_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1317596828.953:3663): avc:  denied  { append open } for  pid=25679 comm="bounce" name="CCC0F13E50B1" dev=sda3 ino=17419143 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317596828.953:3663): avc:  denied  { create } for  pid=25679 comm="bounce" name="CCC0F13E50B1" scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317596828.953:3663): avc:  denied  { add_name } for  pid=25679 comm="bounce" name="CCC0F13E50B1" scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1317596828.953:3663): avc:  denied  { write } for  pid=25679 comm="bounce" name="C" dev=sda3 ino=17419139 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
time->Sun Oct  2 20:07:09 2011
type=SYSCALL msg=audit(1317596829.069:3664): arch=c000003e syscall=73 success=yes exit=0 a0=d a1=6 a2=6 a3=0 items=0 ppid=1647 pid=25679 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=system_u:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1317596829.069:3664): avc:  denied  { lock } for  pid=25679 comm="bounce" path="/var/spool/postfix/defer/C/CCC0F13E50B1" dev=sda3 ino=17419143 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Comment 3 Miroslav Grepl 2011-10-03 08:42:42 UTC 
Fixed in selinux-policy-3.9.16-43.fc15
Comment 4 Fedora Update System 2011-11-16 16:18:25 UTC 
selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15
Comment 5 Fedora Update System 2011-11-17 23:36:46 UTC 
Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2011-12-04 02:36:42 UTC 
selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.