| Summary: | SELinux prevents postfix smtp from writing to /dev/log | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Daniel Smith <dsmith> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-11 21:14:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
The problem is /dev/log is mislabeled. Were you playing around with the syslog program running it by hand? (In reply to comment #2) > The problem is /dev/log is mislabeled. Were you playing around with the syslog > program running it by hand? In the process of troubleshooting this issue I stopped and started the syslog-ng process a few times. Otherwise, however, I haven't made any changes to /dev/log. Might that have been the cause? What should the label on /dev/log be? Thanks! matchpathcon says that /dev/log should be labelled devlog_t
# matchpathcon /dev/log
/dev/log system_u:object_r:devlog_t:s0
and selinux-policy-targeted contains a rule which allows a process running as postfix_smtpd_t to write into socket file which is labelled devlog_t
# sesearch -s postfix_smtpd_t -t devlog_t -c sock_file -p write --allow
Found 1 semantic av rules:
allow postfix_smtpd_t devlog_t : sock_file { write getattr append open } ;
Daniel, what does $ ps -eZ | grep syslog If you execute $ restorecon -R -v /dev/log it will fix it. (In reply to comment #5) > Daniel, > what does > > $ ps -eZ | grep syslog > > If you execute > > $ restorecon -R -v /dev/log > > it will fix it. So, upon executing restorecon -R -v /dev/log, we found that indeed the context changed to system_u:object_r:devlog_t:s0. Apparently our installation of syslog-ng had inappropriate contexts, as syslog had the context system_u:system_r:initrc_t. We've since replaced our installation of syslog with an appropriate one that has the proper context. Thank you all for your time and help. |
Description of problem: Under normal conditions the postfix smtp process logs each message sent and received to the server by writing to /dev/log. However, due to SELinux policies, smtp is denied permission to write to /dev/log: type=AVC msg=audit(1326226879.466:26702): avc: denied { write } for pid=2551 comm="smtpd" name="log" dev=devtmpfs ino=11115 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=sock_file type=SYSCALL msg=audit(1326226879.466:26702): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7f9c96e321a0 a2=6e a3=1 items=0 ppid=1508 pid=2551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) As a result, no records of sent or received messages are sent. no postfix processes are running chrooted. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-126.el6_2.4 How reproducible: Basic installation of rhel 6.2 and postfix. Steps to Reproduce: 1. Install rhel 6.2 2. Install postfix and configure for basic mailserver. Actual results: Mail logs are bare and contain only messages from more privileged postfix processes, such as postsuper. Expected results: Mail logs should contain messages from stmp as well, to record mails sent and received.