This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1281668 - SELinux is preventing postdrop from 'connectto' accesses on the unix_stream_socket /var/spool/postfix/public/pickup.
SELinux is preventing postdrop from 'connectto' accesses on the unix_stream_s...
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
low Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:03d2c5256eb1ad1a23ad73bc4ae...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 00:01 EST by m@
Modified: 2016-12-20 21:59 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-20 10:45:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description m@ 2015-11-13 00:01:15 EST
Description of problem:
It happened in the background.  These are both postfix daemons.
SELinux is preventing postdrop from 'connectto' accesses on the unix_stream_socket /var/spool/postfix/public/pickup.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that postdrop should be allowed connectto access on the pickup unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep postdrop /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_postdrop_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                /var/spool/postfix/public/pickup [
                              unix_stream_socket ]
Source                        postdrop
Source Path                   postdrop
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-152.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.5-300.fc23.x86_64 #1 SMP Tue
                              Oct 27 04:29:56 UTC 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-11-10 03:48:04 CST
Last Seen                     2015-11-12 03:50:04 CST
Local ID                      ad7a5059-d231-426a-9d3b-406541d9424f

Raw Audit Messages
type=AVC msg=audit(1447321804.366:7687): avc:  denied  { connectto } for  pid=3752 comm="postdrop" path="/var/spool/postfix/public/pickup" scontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0


Hash: postdrop,postfix_postdrop_t,unconfined_t,unix_stream_socket,connectto

Version-Release number of selected component:
selinux-policy-3.13.1-152.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.5-300.fc23.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2015-11-20 07:35:00 EST
Did you started postfix-pickup directly instead of using the postfix unit file.
Comment 2 m@ 2015-11-21 15:58:09 EST
I started postfix via the command:
    systemctl restart postfix.  

I did not run postfix-pickup directly.

Currently, postfix fails to start after a boot.  I need to manually restart it.
Comment 3 Miroslav Grepl 2015-12-11 05:19:04 EST
What does

ps -eZ |grep postfix
Comment 4 m@ 2015-12-11 22:36:36 EST
$ ps -eZ |grep postfix
system_u:system_r:postfix_master_t:s0 1808 ?   00:00:04 master
system_u:system_r:postfix_pickup_t:s0 4372 ?   00:00:00 pickup
system_u:system_r:postfix_qmgr_t:s0 19377 ?    00:00:00 qmgr
system_u:system_r:postfix_master_t:s0 20429 ?  00:00:00 tlsmgr

This is after the system has been up, and I've been fixing permissions with 
audit2allow and semodule.  Postfix hadn't delivered any mail from me in the past two weeks, due to SELinux issues.  After fixing those, it all went out, much to the surprise of the recipients. ("Did you send me this two weeks ago?") :-(

SETroubleshoot listed these items:
Source process  Attempted Access  On this    Occurred    Status
postdrop          connectto       pickup        3        Notify
smtp              read,write      master.pid    1        Notify   
bounce            read,write      unix.smtp     2206     Notify
bounce            open            unix.defer    5        Notify
bounce            getattr         unix.defer    1        Notify
bounce            lock            unix.defer    3        Notify
Comment 5 Miroslav Grepl 2016-01-04 09:15:03 EST
Are you able to reproduce it?
Comment 6 m@ 2016-02-22 23:51:05 EST
The problem no longer occurs.  I suspect this is due to running audit2allow and semodule.
Comment 7 Lukas Vrabec 2016-02-25 09:24:06 EST
Did you create own SELinux policy module?
Comment 8 m@ 2016-03-29 00:15:42 EDT
Yes, I did (provided that that's what following the instructions to allow the access, i.e. executing:
    # grep postdrop /var/log/audit/audit.log | audit2allow -M mypol
    # semodule -i mypol.pp
does.)
Comment 9 Lukas Vrabec 2016-03-29 11:44:04 EDT
What does: 
$ ps -efZ  | grep unconfined

Thank you.
Comment 10 m@ 2016-03-29 23:27:21 EDT
condenser> ps -efZ  | grep unconfined
system_u:system_r:unconfined_service_t:s0 root 1156 1  0 00:39 ?       00:00:05 /sbin/rngd -f
system_u:system_r:unconfined_service_t:s0 root 1921 1  0 00:40 ?       00:00:04 /usr/libexec/udisks2/udisksd --no-debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2230 1  0 00:59 ? 00:00:00 /usr/bin/gnome-keyring-daemon --daemonize --login
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2255 2141  0 00:59 tty2 00:00:00 /usr/libexec/gdm-x-session --run-script gnome-session
unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 mbraun 2279 2255  0 00:59 tty2 00:02:21 /usr/libexec/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -nolisten tcp -background none -noreset -keeptty -verbose 3
unconfined_u:unconfined_r:xserver_t:s0-s0:c0.c1023 root 2366 2279  0 00:59 tty2 00:00:00 /usr/libexec/xf86-video-intel-backlight-helper intel_backlight
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 mbraun 2372 2255  0 01:00 tty2 00:00:00 dbus-daemon --print-address 4 --session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2375 2255  0 01:00 tty2 00:00:00 /usr/libexec/gnome-session-binary
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2433 1  0 01:00 tty2 00:00:00 /usr/libexec/at-spi-bus-launcher
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 mbraun 2438 2433  0 01:00 tty2 00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2442 1  0 01:00 tty2 00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2454 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfsd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2459 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2483 2375  0 01:00 tty2 00:00:03 /usr/libexec/gnome-settings-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2500 1  0 01:00 ? 00:00:24 /usr/bin/pulseaudio --start --log-target=syslog
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2542 1  0 01:00 tty2 00:00:00 /usr/libexec/gsd-printer
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2543 2500  0 01:00 ? 00:00:00 /usr/libexec/pulse/gconf-helper
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2549 1  0 01:00 tty2 00:00:00 /usr/libexec/gconfd-2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2566 2375  0 01:00 tty2 00:07:20 /usr/bin/gnome-shell
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2577 1  0 01:00 tty2 00:00:00 /usr/libexec/gnome-shell-calendar-server
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2578 2566  0 01:00 tty2 00:00:03 ibus-daemon --xim --panel disable
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2583 2578  0 01:00 tty2 00:00:00 /usr/libexec/ibus-dconf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2585 1  0 01:00 tty2 00:00:01 /usr/libexec/ibus-x11 --kill-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2602 1  0 01:00 tty2 00:00:00 /usr/libexec/evolution-source-registry
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2654 1  0 01:00 tty2 00:00:01 /usr/libexec/mission-control-5
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2662 1  0 01:00 tty2 00:00:00 /usr/libexec/goa-daemon
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2683 1  0 01:00 tty2 00:00:01 /usr/libexec/goa-identity-service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2692 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2697 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2702 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfs-afc-volume-monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2709 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2718 1  0 01:00 tty2 00:00:00 /usr/libexec/gvfs-goa-volume-monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2749 2375  0 01:00 tty2 00:00:00 /usr/bin/gnome-software --gapplication-service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2752 2375  0 01:00 tty2 00:00:00 /usr/libexec/evolution/evolution-alarm-notify
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2765 2578  0 01:00 tty2 00:00:00 /usr/libexec/ibus-engine-simple
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2814 2375  0 01:00 tty2 00:00:00 /usr/bin/seapplet
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2857 1  0 01:00 tty2 00:00:00 /usr/libexec/evolution-calendar-factory
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2870 2857  0 01:00 tty2 00:00:00 /usr/libexec/evolution-calendar-factory-subprocess --factory contacts --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx2857x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/2857/2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2880 1  0 01:00 tty2 00:00:00 /usr/libexec/evolution-addressbook-factory
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2883 2857  0 01:00 tty2 00:00:00 /usr/libexec/evolution-calendar-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.Calendarx2857x3 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/Calendar/2857/3
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2912 2880  0 01:00 tty2 00:00:00 /usr/libexec/evolution-addressbook-factory-subprocess --factory local --bus-name org.gnome.evolution.dataserver.Subprocess.Backend.AddressBookx2880x2 --own-path /org/gnome/evolution/dataserver/Subprocess/Backend/AddressBook/2880/2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2937 1  0 01:00 tty2 00:00:00 xterm
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2940 2937  0 01:00 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2981 2940  0 01:00 pts/0 00:00:00 xterm -fn 6x10 -fg white -bg rgb:10/10/10 -title 'Color3' -geometry 80x40 -e /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 2983 2981  0 01:00 pts/1 00:00:00 /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3024 2940  0 01:00 pts/0 00:00:00 xterm -fn 6x10 -fg orange -bg black -title 'Color4' -geometry 80x40 -e /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3026 3024  0 01:00 pts/2 00:00:00 /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3067 2940  0 01:00 pts/0 00:00:00 xterm -fn 6x10 -fg orange -bg black -title 'Color4' -geometry 80x40 -e /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3069 3067  0 01:00 pts/3 00:00:00 /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3110 2940  0 01:00 pts/0 00:00:00 xterm -fn 6x10 -fg yellow -bg black -title 'Color5' -geometry 80x40 -e /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3112 3110  0 01:00 pts/4 00:00:00 /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3153 2940  0 01:00 pts/0 00:00:00 xterm -fn 6x10 -fg cyan -bg black -title 'Color6' -geometry 80x40 -e /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3155 3153  0 01:00 pts/5 00:00:00 /bin/bash -i
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3198 1  0 01:00 ? 00:00:34 fetchmail
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3203 2940  0 01:00 pts/0 00:00:06 emacs
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3283 3203  0 01:01 pts/6 00:00:00 /usr/bin/idn --quiet --idna-to-ascii --usestd3asciirules
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3326 1  0 01:01 tty2 00:00:00 /usr/libexec/gvfsd-http --spawner :1.9 /org/gtk/gvfs/exec_spaw/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3331 1  0 01:01 ? 00:11:41 /usr/lib64/firefox/firefox http://trk.cp20.com/click?abvn8-1mokuo-wi9u8v8
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 3486 1  0 01:16 tty2 00:00:00 /usr/libexec/gvfsd-metadata
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 surf 3778 1  0 01:28 ? 00:00:00 dbus-launch --autolaunch b5f7149653ac4865a4425316a5f703ba --binary-syntax --close-stderr
unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 surf 3779 1  0 01:28 ? 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 4895 1  0 06:01 tty2 00:00:00 /usr/libexec/dconf-service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 6118 1  0 21:59 ? 00:00:00 /usr/lib64/libreoffice/program/oosplash --calc file:///tmp/mozilla_mbraun0/bu10platinum.xlsx
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 6154 6118  0 21:59 ? 00:00:01 /usr/lib64/libreoffice/program/soffice.bin --calc file:///tmp/mozilla_mbraun0/bu10platinum.xlsx --splash-pipe=5
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 6431 3331  1 22:18 ? 00:00:04 /usr/lib64/firefox/plugin-container /usr/lib64/flash-plugin/libflashplayer.so -greomni /usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr/lib64/firefox/browser 3331 plugin
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 6533 3155  0 22:24 pts/5 00:00:00 ps -efZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 mbraun 6534 3155  0 22:24 pts/5 00:00:00 grep --color=auto unconfined
Comment 11 Fedora Admin XMLRPC Client 2016-09-27 10:58:24 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 12 Fedora End Of Life 2016-11-24 08:22:00 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 13 Fedora End Of Life 2016-12-20 10:45:31 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 14 Fedora End Of Life 2016-12-20 21:59:28 EST
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.