Bug 769819
| Summary: | selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jarno Huuskonen <jarno.huuskonen> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, jskarvad, ksrot, mmalik, philipp |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-135.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 12:30:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I think somethings wrong with /var/spool/postfix/{defer,deferred} contexts:
Fresh install of RH6.2(selinux-policy-3.7.19-126.el6_2.4.noarch)
drwx------. postfix root system_u:object_r:postfix_spool_maildrop_t:s0 defer/
drwx------. postfix root system_u:object_r:postfix_spool_maildrop_t:s0 deferred/
Working postfix RH6.1 (selinux-policy-3.7.19-93.el6_1.7.noarch)):
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 defer/
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 deferred/
And if I: grep postfix /etc/selinux/targeted/contexts/files/file_contexts
and diff the output from those two machines:
@@ -9,14 +9,17 @@
/var/spool/postfix/lib(64)?(/.*)? system_u:object_r:lib_t:s0
/var/spool/postfix/lib(64)?/ld.*\.so.* -- system_u:object_r:ld_so_t:s0
/var/spool/postfix/pid/.* system_u:object_r:postfix_var_run_t:s0
+/var/spool/postfix/defer(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
/var/spool/postfix/flush(/.*)? system_u:object_r:postfix_spool_flush_t:s0
/var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
/var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
/var/spool/postfix/private(/.*)? system_u:object_r:postfix_private_t:s0
/etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t:s0
+/var/spool/postfix/deferred(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
/var/spool/postfix/maildrop(/.*)? system_u:object_r:postfix_spool_maildrop_t:s0
/var/spool/postfix/postgrey(/.*)? system_u:object_r:postgrey_spool_t:s0
/usr/share/munin/plugins/postfix_mail.* -- system_u:object_r:munin_mail_plugin_exec_t:s0
+/usr/sbin/postcat -- system_u:object_r:postfix_master_exec_t:s0
/usr/sbin/postfix -- system_u:object_r:postfix_master_exec_t:s0
/usr/sbin/postlog -- system_u:object_r:postfix_master_exec_t:s0
/usr/sbin/postmap -- system_u:object_r:postfix_map_exec_t:s0
This label was introduced in RHEL6.2. Jarno, could you execute # semanage permissive -a postfix_smtp_t # semanage permissive -a postfix_master_t which will make these domains as permissive and it won't break anything. And your system will be in enforcing mode. (In reply to comment #4) > could you execute > > # semanage permissive -a postfix_smtp_t > # semanage permissive -a postfix_master_t I can do that, but I relabeled defer/deferred back to postfix_spool_t and that seems to work for now. Also I tested this on a fresh 6.2 install: 1. disable outgoing port 25 connections with iptables 2. try to send email 3. postfix creates a file in /var/spool/postfix/deferred/0/04DD11ECE (-rwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 04DD11ECE) (the directory is system_u:object_r:postfix_spool_maildrop_t:s0). 4. if I reenable outgoing connections -> the message is sent out just fine. BUT if something relabels the 04DD11ECE to postfix_spool_maildrop_t (selinux policy updates? or manual restorecon -R -v) then: type=AVC msg=audit(1325149007.615:19577): avc: denied { getattr } for pid=6734 comm="smtp" path="/var/spool/postfix/active/04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1325149007.616:19578): avc: denied { read write } for pid=6734 comm="smtp" name="04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1325149008.630:19579): avc: denied { read write } for pid=6735 comm="error" name="04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file I'm also seeing similar problems:
----
time->Wed Jan 11 13:53:12 2012
type=SYSCALL msg=audit(1326318792.799:1335): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318792.799:1335): avc: denied { search } for pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:53:39 2012
type=SYSCALL msg=audit(1326318819.347:1336): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318819.347:1336): avc: denied { search } for pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:54:57 2012
type=SYSCALL msg=audit(1326318897.767:1337): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318897.767:1337): avc: denied { search } for pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:55:36 2012
type=SYSCALL msg=audit(1326318936.809:1338): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318936.809:1338): avc: denied { search } for pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:56:21 2012
type=SYSCALL msg=audit(1326318981.987:1339): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318981.987:1339): avc: denied { search } for pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 14:33:59 2012
type=SYSCALL msg=audit(1326321239.263:1381): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffb4a44120 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7585 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326321239.263:1381): avc: denied { search } for pid=7585 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:18:29 2012
type=SYSCALL msg=audit(1326323909.822:1432): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326323909.822:1432): avc: denied { search } for pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:19:29 2012
type=SYSCALL msg=audit(1326323969.708:1433): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326323969.708:1433): avc: denied { search } for pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:20:19 2012
type=SYSCALL msg=audit(1326324019.664:1453): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324019.664:1453): avc: denied { search } for pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:20:31 2012
type=SYSCALL msg=audit(1326324031.372:1457): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324031.372:1457): avc: denied { search } for pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:24:26 2012
type=SYSCALL msg=audit(1326324266.216:1458): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff20b90cd0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7733 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324266.216:1458): avc: denied { search } for pid=7733 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:28:34 2012
type=SYSCALL msg=audit(1326324514.148:1461): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=34d2ab0 a2=6e a3=7fff680bce80 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324514.148:1461): avc: denied { connectto } for pid=7444 comm="mimedefang.pl" path="/var/run/clamav/clamd.sock" scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326324514.148:1461): avc: denied { write } for pid=7444 comm="mimedefang.pl" name="clamd.sock" dev=dm-0 ino=2232540 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326324514.148:1461): avc: denied { search } for pid=7444 comm="mimedefang.pl" name="clamav" dev=dm-0 ino=2232121 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:28:33 2012
type=SYSCALL msg=audit(1326324513.582:1460): arch=c000003e syscall=42 success=yes exit=0 a0=e a1=7fffd5ce7b90 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7767 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324513.582:1460): avc: denied { connectto } for pid=7767 comm="smtpd" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:spamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326324513.582:1460): avc: denied { write } for pid=7767 comm="smtpd" name="mimedefang.sock" dev=dm-0 ino=2233041 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:spamd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326324513.582:1460): avc: denied { search } for pid=7767 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:29:43 2012
type=SYSCALL msg=audit(1326324583.403:1462): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0d8 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324583.403:1462): avc: denied { connectto } for pid=7444 comm="mimedefang.pl" path="/var/run/clamav/clamd.sock" scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
----
time->Wed Jan 11 15:34:01 2012
type=SYSCALL msg=audit(1326324841.053:1472): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0e0 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324841.053:1472): avc: denied { write } for pid=7444 comm="mimedefang.pl" name="clamd.sock" dev=dm-0 ino=2232540 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 15:37:58 2012
type=SYSCALL msg=audit(1326325078.976:1491): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0d8 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326325078.976:1491): avc: denied { search } for pid=7444 comm="mimedefang.pl" name="clamav" dev=dm-0 ino=2232121 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:37:58 2012
type=SYSCALL msg=audit(1326325078.802:1490): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7ffff86225d0 a2=6e a3=7ffff86222f0 items=0 ppid=7556 pid=8093 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326325078.802:1490): avc: denied { connectto } for pid=8093 comm="smtpd" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:spamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326325078.802:1490): avc: denied { write } for pid=8093 comm="smtpd" name="mimedefang.sock" dev=dm-0 ino=2233041 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:spamd_var_run_t:s0 tclass=sock_file
which audit2allow tells me should be:
module spamd 1.0;
require {
type clamd_var_run_t;
type clamd_t;
type spamd_t;
type postfix_smtpd_t;
type spamd_var_run_t;
class sock_file write;
class unix_stream_socket connectto;
class dir search;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t spamd_t:unix_stream_socket connectto;
allow postfix_smtpd_t spamd_var_run_t:dir search;
allow postfix_smtpd_t spamd_var_run_t:sock_file write;
#============= spamd_t ==============
allow spamd_t clamd_t:unix_stream_socket connectto;
allow spamd_t clamd_var_run_t:dir search;
allow spamd_t clamd_var_run_t:sock_file write;
Fixed in selinux-policy-3.7.19-135.el6 (In reply to comment #7) > Fixed in selinux-policy-3.7.19-135.el6 Where's the koji build? We don't build RHEL in koji. http://people.redhat.com/dwalsh/SELinux/RHEL6 Will contain the latest packages for SELinux on RHEL. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |
Description of problem: After updating from selinux-policy-targeted-3.7.19-93.el6_1.7.noarch to selinux-policy-targeted-3.7.19-126.el6_2.4.noarch postfix mail delievery fails. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4 selinux-policy-targeted-3.7.19-126.el6_2.4 How reproducible: After downgrading to selinux-policy-targeted-3.7.19-93.el6_1.7 didn't want to try second time. Steps to Reproduce: 1. queue some mail in postfix queues 2. update selinux-policy and selinux-policy-targeted 3. try to resend the queued messages: postfix -i <QUEUEID> Actual results: selinux denied messages in audit logs: type=AVC msg=audit(1324550512.761:2656736): avc: denied { getattr } for pid=9241 comm="lmtp" path="/var/spool/postfix/active/3042626BE" dev=dm-3 ino=9918 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1324550512.763:2656737): avc: denied { read write } for pid=9241 comm="lmtp" name="3042626BE" dev=dm-3 ino=9918 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1324550513.040:2656756): avc: denied { getattr } for pid=9254 comm="smtp" path="/var/spool/postfix/active/625E4C37" dev=dm-3 ino=3127 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1324550513.779:2656758): avc: denied { read write } for pid=9259 comm="error" name="3B9BD4144" dev=dm-3 ino=16708 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1324550513.789:2656759): avc: denied { read write } for pid=9260 comm="error" name="334D8417E" dev=dm-3 ino=16766 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file type=AVC msg=audit(1324550513.801:2656760): avc: denied { read write } for pid=9261 comm="error" name="316713231" dev=dm-3 ino=12849 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file Expected results: Selinux-policy shouldn't break postfix mailflow. Additional info: