Created attachment 880577 [details] Output of sealert analysis Description of problem: SELinux seems to be preventing cron.daily jobs from sending mail. Sending mail as an user or root works, as does running 'run-parts /etc/cron.daily' manually. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-135 selinux-policy-targeted-3.12.1-135 opensmtpd-5.4.2p1-1 How reproducible: Very Steps to Reproduce: 1. Create a job in /etc/cron.daily/ that mails its output to an user. 2. Wait for cron.daily to be run. Actual results: An error message mail is received: "/etc/cron.daily/check-update: send-mail: cannot create temporary file /var/spool/smtpd/offline/1396244882.DTT1D1I2nz: Permission denied" Expected results: Receiving mail from the cron job with the configured information. Additional info: Attached is the output of 'sealert -a /var/log/audit/audit.log'. The cron job: $ cat /etc/cron.daily/check-update #!/bin/sh /usr/bin/dnf list upgrades 2>&1 | /usr/bin/mail -E -s "check-update output" root $ stat /etc/cron.daily/check-update File: ‘/etc/cron.daily/check-update’ Size: 92 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 260901 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:bin_t:s0 Access: 2014-03-31 08:48:01.778515039 +0300 Modify: 2014-03-11 19:32:23.480313652 +0200 Change: 2014-03-14 16:11:57.623672333 +0200 Birth: - The directory: $ stat /var/spool/smtpd/offline File: ‘/var/spool/smtpd/offline’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd01h/64769d Inode: 145160 Links: 2 Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:var_spool_t:s0 Access: 2014-03-31 07:29:40.530186582 +0300 Modify: 2014-01-20 18:12:52.483566685 +0200 Change: 2014-01-20 18:12:52.483566685 +0200 Birth: -
The following will fix your issue: semanage fcontext -a -t mail_spool_t "/var/spool/smtpd(/.*)?" the fix would be to add /var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_pool_t,s0) to policy/modules/contrib/mta.fc
(In reply to William Brown from comment #1) > The following will fix your issue: > > semanage fcontext -a -t mail_spool_t "/var/spool/smtpd(/.*)?" Thank you, that and running 'restorecon -R -v /var/spool/smtpd' afterwards seem to have fixed the issue.
(In reply to William Brown from comment #1) > the fix would be to add > > /var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_pool_t,s0) to > policy/modules/contrib/mta.fc Thanks for clarifying this, William. Should I, as the package maintainer, request to add a new policy to the existing selinux policies set? Or, simple hack with two commands in package spec in post-install will be enough?
commit f534662c97a5cab42f7f6e260fe60de721fc1fc2 adds this in git.
Backported F20
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20
Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-163.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.