Bug 1015951 - httpd_t AVC denials of postfix
Summary: httpd_t AVC denials of postfix
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-07 06:21 UTC by Warren Togami
Modified: 2013-10-22 05:05 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-74.10.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-22 05:05:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Warren Togami 2013-10-07 06:21:02 UTC 
Description of problem:
nginx with php-fpm (httpd_t) application runs /usr/sbin/sendmail to send outgoing mail.  I was surprised to find a great many AVC denials with postfix and httpd_t as this is a fairly common server configuration.  Perhaps there should be some kind of boolean for this?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-74.8.fc19.noarch
php-fpm-5.5.4-1.fc19.x86_64
nginx-1.4.2-1.fc19.x86_64

type=AVC msg=audit(1381120734.077:222): avc:  denied  { write } for  pid=5597 comm="postdrop" name="maildrop" dev="vda1" ino=6686100 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381120734.077:222): avc:  denied  { add_name } for  pid=5597 comm="postdrop" name="77376.5597" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381120734.077:222): avc:  denied  { create } for  pid=5597 comm="postdrop" name="77376.5597" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381120734.077:222): avc:  denied  { read write open } for  pid=5597 comm="postdrop" path="/var/spool/postfix/maildrop/77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381122059.229:278): avc:  denied  { remove_name } for  pid=6099 comm="postdrop" name="229172.6099" dev="vda1" ino=6695755 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381122059.229:278): avc:  denied  { rename } for  pid=6099 comm="postdrop" name="229172.6099" dev="vda1" ino=6695755 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381122124.069:288): avc:  denied  { write } for  pid=7704 comm="postdrop" name="pickup" dev="vda1" ino=6684900 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381120734.077:223): avc:  denied  { getattr } for  pid=5597 comm="postdrop" path="/var/spool/postfix/maildrop/77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381120734.077:224): avc:  denied  { remove_name } for  pid=5597 comm="postdrop" name="77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381120734.077:224): avc:  denied  { rename } for  pid=5597 comm="postdrop" name="77376.5597" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381120734.077:225): avc:  denied  { setattr } for  pid=5597 comm="postdrop" name="12F6966547D" dev="vda1" ino=6706301 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1381124660.664:320): avc:  denied  { remove_name } for  pid=24591 comm="postdrop" name="666047.24591" dev="vda1" ino=6692534 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381125407.259:383): avc:  denied  { getattr } for  pid=3261 comm="postdrop" path="/var/spool/postfix/public/pickup" dev="vda1" ino=6684900 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
type=AVC msg=audit(1381125407.260:384): avc:  denied  { connectto } for  pid=3261 comm="postdrop" path="/var/spool/postfix/public/pickup" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1381125407.251:380): avc:  denied  { read } for  pid=3260 comm="sendmail" name="main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
type=AVC msg=audit(1381125407.251:380): avc:  denied  { open } for  pid=3260 comm="sendmail" path="/etc/postfix/main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
type=AVC msg=audit(1381125407.251:381): avc:  denied  { getattr } for  pid=3260 comm="sendmail" path="/etc/postfix/main.cf" dev="vda1" ino=2632128 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file
type=AVC msg=audit(1381125407.252:382): avc:  denied  { search } for  pid=3260 comm="sendmail" name="postfix" dev="vda1" ino=6686088 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
Comment 1 Warren Togami 2013-10-07 06:40:49 UTC 
These additional denials appeared only after I enabled enforcing mode.

type=AVC msg=audit(1381127049.290:432): avc:  denied  { search } for  pid=29981 comm="sendmail" name="postfix" dev="vda1" ino=2621441 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir
type=AVC msg=audit(1381127514.601:461): avc:  denied  { search } for  pid=5177 comm="postdrop" name="maildrop" dev="vda1" ino=6686100 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
type=AVC msg=audit(1381127717.386:471): avc:  denied  { search } for  pid=8174 comm="postdrop" name="public" dev="vda1" ino=6686112 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postfix_public_t:s0 tclass=dir
Comment 2 Miroslav Grepl 2013-10-07 09:05:41 UTC 
I added changes for it to RHEL.

Lukas,
could you back port them?
Comment 3 Warren Togami 2013-10-09 06:12:56 UTC 
Wouldn't that be a forward port? =)

I certainly hope this fix also goes into $NEXT_RHEL.
Comment 4 Daniel Walsh 2013-10-09 14:34:57 UTC 
It should we always work in upstream first,
Comment 5 Lukas Vrabec 2013-10-15 08:38:55 UTC 
back ported to f20 and f19.

commit 57cb05b0618ca7584636f422510fbc6e668db623
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 15 10:15:39 2013 +0200

    Update httpd_can_sendmail boolean to allow read/write postfix spool maildrop

commit 710317b57d0fd4d48d679cc605a0a02c3aa05582
Author: Lukas Vrabec <lvrabec>
Date:   Tue Oct 15 10:10:26 2013 +0200

    Add postfix_rw_spool_maildrop_files interface
Comment 6 Fedora Update System 2013-10-15 16:03:23 UTC 
selinux-policy-3.12.1-74.10.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.10.fc19
Comment 7 Warren Togami 2013-10-18 03:29:04 UTC 
Confirmed, working great!
Comment 8 Fedora Update System 2013-10-18 20:02:57 UTC 
Package selinux-policy-3.12.1-74.10.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.10.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19368/selinux-policy-3.12.1-74.10.fc19
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-10-22 05:05:22 UTC 
selinux-policy-3.12.1-74.10.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.