Bug 801459

Summary: new files in /var/mail are created with quota_db_t context instead of mail_spool_t context
Product: Red Hat Enterprise Linux 7 Reporter: Ales Zelinka <azelinka>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-08 15:45:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ales Zelinka 2012-03-08 15:25:16 UTC 
Description of problem:
New files in /var/mail/ are created with object_r:quota_db_t context instead of object_r:mail_spool_t. Mail to these users then gets bounced.

$ useradd someuser
$ ls -laZ /var/mail/
drwxrwxr-x. root     mail system_u:object_r:mail_spool_t:s0 .
drwxr-xr-x. root     root system_u:object_r:var_spool_t:s0 ..
-rw-------. root     mail system_u:object_r:mail_spool_t:s0 root
-rw-rw----. rpc      mail system_u:object_r:mail_spool_t:s0 rpc
-rw-rw----. someuser mail unconfined_u:object_r:quota_db_t:s0 someuser
-rw-rw----. test     mail system_u:object_r:mail_spool_t:s0 test


restorecon fixes the issue:

$ restorecon -Rv /var/mail/
restorecon reset /var/spool/mail/someuser context unconfined_u:object_r:quota_db_t:s0->unconfined_u:object_r:mail_spool_t:s0
$ ls -laZ /var/mail/
drwxrwxr-x. root     mail system_u:object_r:mail_spool_t:s0 .
drwxr-xr-x. root     root system_u:object_r:var_spool_t:s0 ..
-rw-r--r--. root     root unconfined_u:object_r:mail_spool_t:s0 newfile
-rw-------. root     mail system_u:object_r:mail_spool_t:s0 root
-rw-rw----. rpc      mail system_u:object_r:mail_spool_t:s0 rpc
-rw-rw----. someuser mail unconfined_u:object_r:mail_spool_t:s0 someuser
-rw-rw----. test     mail system_u:object_r:mail_spool_t:s0 test



Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-56.el7.noarch
Comment 1 Daniel Walsh 2012-03-08 15:45:29 UTC 
This is fixed in the latest selinux policy in F17 which is what I wish you were testing, rather then something that has been fixed in F16 for quite a while.