Bug 853453
Summary: | SELinux vs .forward script on nfs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Brian Wheeler <bdwheele> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 6.3 | CC: | dwalsh, mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-166.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:28:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brian Wheeler
2012-08-31 15:12:50 UTC
3 weeks and no response? (In reply to comment #2) > 3 weeks and no response? Bugzilla is not support tool and doesn't have guaranteed response time. If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution. For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto (In reply to comment #0) > since the file resides on nfs there isn't any way to reset the context > type...is there a magic setting for postfix that will let this go through? > The access is blocked in kernel by SELinux, no way to bypass in postfix. You can export the Code directory and mount it with option context (man mount) to force the context or you can use procmail (.procmailrc instead of .forward). CCing SELinux guys in case there have more info. Just to be sure could you attach AVC msgs? # grep nfs_t /var/log/audit/audit.log Here's the typical AVC: type=AVC msg=audit(1348490756.116:1732984): avc: denied { execute } for pid=19174 comm="local" name="forwardbuildresults.sh" dev=0:17 ino=102400013 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file I know bugzilla isn't a support tool, but I was just surprised that nobody responded in 3 weeks...usually I've seen faster responses. Also, I can't really mess with the mount context without messing up other things at this point since I've used the booleans which allow nfs_t for the other services which are using data on this filesystem. You can allow it using # grep nfs_t /var/log/audit/audit.log | audit2allow -M mypostfix # semodule -i mypostfix.pp I was going to do that, but it kind of seemed like something that would have come up with other users -- and I wasn't sure if it would rate getting a boolean at some point, so I thought I'd report it. I'll go and do it to keep my user happy. Yes, we have userdom_read_user_home_content_files(postfix_local_t) userdom_exec_user_bin_files(postfix_local_t) so it should be also available for NFS. (In reply to comment #9) > Yes, we have > > userdom_read_user_home_content_files(postfix_local_t) > userdom_exec_user_bin_files(postfix_local_t) > > so it should be also available for NFS. I'm afraid you've lost me... Brian basically this is a bug, we should allow it. Ok, gotcha Dan added it to Fedora. Will backport to RHEL6.4 soon. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |