| Summary: | SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:a087e8b9309d3c30a0b197960c352b7e638a8554dcfca9de57c67f40118c73e7 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-14 22:08:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Never seen it create content in this directory before. Nicholas did you intend to go to F18? Is postfix smtpd supposed to create content in /var/spool/postfix Or is your subdirs mislabed. restorecon -R -v /var/spool (In reply to comment #1) > Never seen it create content in this directory before. Nicholas did you intend > to go to F18? I just stick to rawhide that's where testing is most useful I think > Is postfix smtpd supposed to create content in /var/spool/postfix > > Or is your subdirs mislabed. > > restorecon -R -v /var/spool I certainly hope that if postfix smtpd writes files somewhere, that's in /var/spool/postfix (its spool dir) That may be a side effect of the smtpd_proxy_options=speed_adjust I've enabled yesterday while looking at amavisd/clamav interactions It's described in postfix docs as requiring the write of a temporary file in http://www.postfix.org/postconf.5.html#smtpd_proxy_options : > NOTE 2: This feature increases the minimum amount of free queue space by > $message_size_limit. The extra space is needed to save the message to a > temporary file. looking at postfix error messages before I switched to permissive mode I see errors like: postfix/smtpd[2078]: warning: mail_queue_enter: create file incoming/95444.2078: Permission denied so it does not create those files just anywhere in /var/spool/postfix, but only in /var/spool/postfix/incoming Ok currently the policy allows reading/writing but not creating. I have no idea why not. Fixed in selinux-policy-3.10.0-89.fc17.noarch And Rawhide slows to a crawl after we branch. I think it would be better to test in F17 with updates-testing turned on until we ship beta. Most developers are working on F17 now and packages that get updated do not show up in F18 until they are released to F17 updates. |
libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-0.rc3.git5.1.fc17.x86_64 reason: SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734. time: mar. 14 févr. 2012 21:21:59 CET description: :SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that smtpd should be allowed create access on the 479544.2734 file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep smtpd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:postfix_smtpd_t:s0 :Target Context system_u:object_r:postfix_spool_t:s0 :Target Objects 479544.2734 [ file ] :Source smtpd :Source Path /usr/libexec/postfix/smtpd :Port <Inconnu> :Host (removed) :Source RPM Packages postfix-2.9.0-2.fc18.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-87.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.3.0-0.rc3.git5.1.fc17.x86_64 #1 : SMP Tue Feb 14 14:58:54 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen mar. 14 févr. 2012 20:17:36 CET :Last Seen mar. 14 févr. 2012 20:30:01 CET :Local ID 1b3aa39f-69cf-4cf0-8b6f-c5c515bf2069 : :Raw Audit Messages :type=AVC msg=audit(1329247801.479:11765): avc: denied { create } for pid=2734 comm="smtpd" name="479544.2734" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file : : :type=SYSCALL msg=audit(1329247801.479:11765): arch=x86_64 syscall=open success=yes exit=EXDEV a0=7f9680f5b1e0 a1=c2 a2=0 a3=0 items=0 ppid=978 pid=2734 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) : :Hash: smtpd,postfix_smtpd_t,postfix_spool_t,file,create : :audit2allow : :#============= postfix_smtpd_t ============== :allow postfix_smtpd_t postfix_spool_t:file create; : :audit2allow -R : :#============= postfix_smtpd_t ============== :allow postfix_smtpd_t postfix_spool_t:file create; :