Bug 842065

Summary: SELinux is preventing /usr/libexec/postfix/cleanup from (getattr|getopt) access on the tcp_socket
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-01 18:22:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2012-07-21 15:20:59 UTC 
When using OpenDKIM with Postfix and a socket of localhost:8891, I receive the following AVCs:

type=AVC msg=audit(1342882917.293:12089): avc:  denied  { getattr } for  pid=31420 comm="cleanup" laddr=127.0.0.1 lport=34042 faddr=127.0.0.1 fport=8891 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1342882917.293:12089): arch=x86_64 syscall=getsockname success=yes exit=0 a0=10 a1=7fff5f7626d0 a2=7fff5f7626cc a3=0 items=0 ppid=31413 pid=31420 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=cleanup exe=/usr/libexec/postfix/cleanup subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)

----

type=AVC msg=audit(1342882917.293:12090): avc:  denied  { getopt } for  pid=31420 comm="cleanup" laddr=127.0.0.1 lport=34042 faddr=127.0.0.1 fport=8891 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:system_r:postfix_smtpd_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1342882917.293:12090): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=10 a1=6 a2=2 a3=7fff5f762698 items=0 ppid=31413 pid=31420 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=cleanup exe=/usr/libexec/postfix/cleanup subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
Comment 1 Daniel Walsh 2012-07-23 15:05:23 UTC 
Are you seeing any breakage or is this just a leak, any reason for cleanup to use this tcp socket.
Comment 2 Anthony Messina 2012-07-23 15:54:41 UTC 
I am in permissive mode with this one so it works.  I'm trying to use OpenDKIM which is running on 127.0.0.1:8891 as a milter, which is performed via Postfix's cleanup command -- man (8) cleanup.
Comment 3 Daniel Walsh 2012-07-23 15:57:51 UTC 
Ok I allowed it in Rawhide.
Comment 4 Miroslav Grepl 2012-07-24 11:04:43 UTC 
Added to F17.
Comment 5 Fedora Update System 2012-07-27 15:35:09 UTC 
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 6 Fedora Update System 2012-07-28 01:24:53 UTC 
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 7 Anthony Messina 2012-07-30 21:24:47 UTC 
selinux-policy-3.10.0-142.fc17 fixes this issue.
Comment 8 Daniel Walsh 2012-07-31 15:21:14 UTC 
Please update karma.
Comment 9 Anthony Messina 2012-07-31 21:30:09 UTC 
I did, just before leaving the feedback here ;)

Bodhi: amessina - 2012-07-30 21:23:24
Comment 10 Miroslav Grepl 2012-08-01 08:02:19 UTC 
Thank you.
Comment 11 Fedora Update System 2012-08-01 18:22:26 UTC 
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.