From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7) Gecko/20040625 Epiphany/1.2.6 Description of problem: Postfix does not properly process outgoing mail when SELinux is enforcing its strict policy (selinux-policy-strict-1.15.5-2). Version-Release number of selected component (if applicable): postfix-2.1.1-3.1 How reproducible: Always Steps to Reproduce: 1. Configure postfix to use a relayhost. 2. Try to send a mail using mutt and watch the system logs. Actual Results: The email does not go out. The following is logged: Jul 29 10:13:17 imp kernel: audit(1091113997.867:0): avc: denied { read } for pid=3479 exe=/usr/sbin/sendmail.postfix path=pipe:[6225] dev=pipefs ino=6225 scontext=root:sysadm_r:sysadm_mail_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Expected Results: The email should go out and no errors should be logged. Additional info: Everything works fine when SELinux is not enforcing its policy. I am relaying through a tunnel provided by stunnel from localhost to my mail server. I don't think this is relevant to this bug. However, I can provide more information about my configuration if it is needed.
Created attachment 103203 [details] SELinux-related errors from /etc/init.d/postfix start This seems to be somewhat fixed as of selinux-policy-strict-1.17.4-2. Outgoing mail is processed correctly by postfix. However, when the postfix service starts there are many SELinux errors logged. This attachment is a log fragment.
There is a missing newline in the log (lines 2 and 3 are concatenated). The output of audit2allow is this: allow consoletype_t user_su_t:fifo_file { read }; allow postfix_master_t policy_src_t:dir { search }; allow postfix_master_t selinux_config_t:dir { search }; allow postfix_master_t user_su_t:fifo_file { read }; Assigning to policy to include these rules.
With selinux-policy-strict-1.17.26-1, I now get: Oct 3 17:09:28 imp kernel: audit(1096841368.526:0): avc: denied { read } for pid=5685 exe=/sbin/consoletype path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Oct 3 17:09:28 imp kernel: audit(1096841368.558:0): avc: denied { read } for pid=5686 exe=/usr/sbin/postalias path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Oct 3 17:09:28 imp kernel: audit(1096841368.595:0): avc: denied { write } for pid=5686 exe=/usr/sbin/postalias name=aliases.db dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:etc_aliases_t tclass=file Oct 3 17:09:29 imp kernel: audit(1096841369.603:0): avc: denied { read } for pid=5687 exe=/usr/sbin/postfix path=pipe:[11205] dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_fileOct 3 17:09:30 imp postfix: succeeded
With selinux-policy-strict-1.17.30-2, I now get: Oct 20 21:23:11 imp kernel: audit(1098325391.124:0): avc: denied { write } for pid=26747 exe=/usr/sbin/postalias name=aliases.db dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:etc_aliases_t tclass=file Oct 20 21:23:11 imp kernel: audit(1098325391.309:0): avc: denied { read } for pid=26751 exe=/bin/ls name=config dev=dm-0 ino=315075 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 20 21:23:11 imp kernel: audit(1098325391.310:0): avc: denied { getattr } for pid=26751 exe=/bin/ls path=/etc/selinux/config dev=dm-0 ino=315075 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:selinux_config_t tclass=file Oct 20 21:23:12 imp kernel: audit(1098325392.206:0): avc: denied { getattr } for pid=26762 exe=/bin/bash path=/usr/share/man/man1/mailq.postfix.1.gz dev=dm-0 ino=81854 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:man_t tclass=file
With selinux-policy-strict-1.18.1 in Enforcing mode you should not be seeing these messages any longer.
Mail seems to go through with selinux-policy-strict-1.18.1. I still get AVC errors, but they don't seem to affect mail delivery. I set the bug to resolved but will document the remaining (unimportant?) errors here: When stopping postfix: Nov 7 19:36:26 imp kernel: audit(1099877786.938:0): avc: denied { read } for pid=17639 exe=/sbin/consoletype path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:36:27 imp kernel: audit(1099877787.027:0): avc: denied { read } for pid=17640 exe=/usr/sbin/postfix path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file When starting postfix: Nov 7 19:38:54 imp kernel: audit(1099877934.587:0): avc: denied { read } for pid=18630 exe=/sbin/consoletype path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:consoletype_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:38:54 imp kernel: audit(1099877934.671:0): avc: denied { read } for pid=18633 exe=/usr/sbin/postalias path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 7 19:38:54 imp kernel: audit(1099877934.703:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.704:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.704:0): avc: denied { search } for pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0 ino=195457 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:tmp_t tclass=dir Nov 7 19:38:54 imp kernel: audit(1099877934.721:0): avc: denied { read } for pid=18634 exe=/usr/sbin/postfix path=pipe:[20453] dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t tcontext=user_u:user_r:user_su_t tclass=fifo_file When processing outgoing mail: Nov 7 19:40:18 imp kernel: audit(1099878018.215:0): avc: denied { connect } for pid=18964 exe=/usr/sbin/xinetd laddr=127.0.0.1 lport=33392 scontext=system_u:system_r:inetd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket Nov 7 19:40:18 imp kernel: audit(1099878018.283:0): avc: denied { ioctl } for pid=18964 exe=/usr/sbin/stunnel path=/dev/urandom dev=tmpfs ino=1881 scontext=system_u:system_r:inetd_child_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file