Bug 799818

Summary: SELinux policy missing postfix /dev/log fcontext in chroot
Product: [Fedora] Fedora Reporter: Scott Shambarger <scott-fedora>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-84.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-22 03:35:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Shambarger 2012-03-05 06:31:25 UTC 
Description of problem:
selinux-policy-targeted-3.10.0 is missing correct fcontext for /dev

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-75
selinux-policy-targeted-3.10.0

How reproducible:
Anytime postfix logs to /dev/log

Steps to Reproduce:
1. Install postfix with chroot enabled
2. Create /var/spool/postfix/dev/log socket via rsyslog config
2. Enable selinux
3. Attempt any postfix functions that require syslog

Additional info:

Present in /etc/selinux/targeted/contexts/files/file_contexts
/dev/log        -s      system_u:object_r:devlog_t:s0

Missing in /etc/selinux/targeted/contexts/files/file_contexts.subs
/var/spool/postfix/dev /dev
Comment 1 Miroslav Grepl 2012-03-05 10:09:33 UTC 
This needs to be fixed in the policy.


commit 8683310d35496b28051affa3ea55b87df4709da3
Author: Miroslav Grepl <mgrepl>
Date:   Mon Mar 5 12:08:34 2012 +0000

    Add labeling for /var/spool/postfix/dev/log
        * support postfix chroot
Comment 2 Fedora Update System 2012-03-13 12:25:19 UTC 
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Comment 3 Scott Shambarger 2012-03-13 13:29:06 UTC 
Tried the new policy.  A few problems.

1) rsyslog doesn't appear to create the log file with the correct context:

# ls -lZ /var/spool/postfix/dev:
srw-rw-rw-. root root system_u:object_r:var_log_t:s0   log

This appears to be related to these entries in /etc/selinux/targeted/contexts/files/file_contexts:

/var/spool/postfix/dev  -d      system_u:object_r:var_log_t:s0
/var/spool/postfix/dev/log      -s      system_u:object_r:devlog_t:s0

If, after starting rsyslog, I run restorecon on /var/spool/postfix/dev, the log file is marked devlog_t as expected.

If I mark /var/spool/postfix/dev as device_t, and restart rsyslog, dev/log is created as devlog_t as expected.

Is there a reason why the /var/spool/postfix/dev directory wasn't marked as device_t?

2) because /var/spool/postfix/dev is var_log_t, I need to add rules to give rsyslog the ability to create sockets in that directory type (not required if it's device_t, and probably not a good thing to require):

allow syslogd_t var_log_t:sock_file { create setattr unlink };

3) Regardless of (2), I also need to add the following so that rsyslog can find the /var/spool/postfix/dev directory:

allow syslogd_t postfix_spool_t:dir search;
Comment 4 Miroslav Grepl 2012-03-13 13:38:58 UTC 
No, this is copy/paste issue. I need to fix it.
Comment 5 Fedora Update System 2012-03-21 02:24:23 UTC 
Package selinux-policy-3.10.0-80.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
then log in and leave karma (feedback).
Comment 6 Scott Shambarger 2012-03-21 04:26:36 UTC 
The package listed above is still the same package referenced in comment #2, which has the problems listed in comment #3.  I don't want to ruin the karma of the release with a down-vote, but it clearly doesn't fix this bug...
Comment 7 Miroslav Grepl 2012-03-21 07:32:16 UTC 
Yes, it does not.
Comment 8 Fedora Update System 2012-03-24 00:36:32 UTC 
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Scott Shambarger 2012-03-24 02:54:59 UTC 
Not sure why this was closed, as mentioned above, the bug is NOT fixed in 3.10.0-80
Comment 10 Miroslav Grepl 2012-03-26 09:55:17 UTC 
I did not remove it from the update in bodhi.
Comment 11 Scott Shambarger 2012-04-15 05:21:41 UTC 
Any update on this bug?
Comment 12 Miroslav Grepl 2012-04-16 08:34:25 UTC 
commit 41088c95d3a99d6e85fcd77ce250ebfdfe4ae9c4
Author: Miroslav Grepl <mgrepl>
Date:   Mon Apr 16 10:32:24 2012 +0000

    Allow syslogd to search postfix spool to support postfix with chroot enabled

commit 642f67bc0b272dd2d56fcf7c40bea8f1fc866f5b
Author: Miroslav Grepl <mgrepl>
Date:   Mon Apr 16 10:30:02 2012 +0000

    Fix labeling for /var/spool/postfix/dev


----

This is going to be fixed in selinux-policy-3.10.0-84.fc16.
Comment 13 Fedora Update System 2012-04-18 12:53:05 UTC 
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 14 Scott Shambarger 2012-04-18 20:38:27 UTC 
selinux-policy-3.10.0-84.fc16 fixes the problem.  Both postfix and rsyslog both work as expected.  Thanks!
Comment 15 Fedora Update System 2012-04-22 03:35:15 UTC 
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.