Bug 128784 - Postfix does not work with SELinux enforcing strict policy
Postfix does not work with SELinux enforcing strict policy
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
:
Depends On:
Blocks: FC3Target FC4Target
  Show dependency treegraph
 
Reported: 2004-07-29 11:34 EDT by W. Michael Petullo
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.18.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-07 20:43:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
SELinux-related errors from /etc/init.d/postfix start (5.13 KB, text/plain)
2004-08-28 11:08 EDT, W. Michael Petullo
no flags Details

  None (edit)
Description W. Michael Petullo 2004-07-29 11:34:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7)
Gecko/20040625 Epiphany/1.2.6

Description of problem:
Postfix does not properly process outgoing mail when SELinux is
enforcing its strict policy (selinux-policy-strict-1.15.5-2).

Version-Release number of selected component (if applicable):
postfix-2.1.1-3.1

How reproducible:
Always

Steps to Reproduce:
1.  Configure postfix to use a relayhost.

2.  Try to send a mail using mutt and watch the system logs.

Actual Results:  The email does not go out.  The following is logged:

Jul 29 10:13:17 imp kernel: audit(1091113997.867:0): avc:  denied  {
read } for  pid=3479 exe=/usr/sbin/sendmail.postfix path=pipe:[6225]
dev=pipefs ino=6225 scontext=root:sysadm_r:sysadm_mail_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file


Expected Results:  The email should go out and no errors should be logged.

Additional info:

Everything works fine when SELinux is not enforcing its policy.

I am relaying through a tunnel provided by stunnel from localhost to
my mail server.  I don't think this is relevant to this bug.  However,
I can provide more information about my configuration if it is needed.
Comment 1 W. Michael Petullo 2004-08-28 11:08:36 EDT
Created attachment 103203 [details]
SELinux-related errors from /etc/init.d/postfix start

This seems to be somewhat fixed as of selinux-policy-strict-1.17.4-2.  Outgoing
mail is processed correctly by postfix.  However, when the postfix service
starts there are many SELinux errors logged.  This attachment is a log
fragment.
Comment 2 Thomas Woerner 2004-09-08 04:59:18 EDT
There is a missing newline in the log (lines 2 and 3 are concatenated).

The output of audit2allow is this:

allow consoletype_t user_su_t:fifo_file { read };
allow postfix_master_t policy_src_t:dir { search };
allow postfix_master_t selinux_config_t:dir { search };
allow postfix_master_t user_su_t:fifo_file { read };

Assigning to policy to include these rules.
Comment 3 W. Michael Petullo 2004-10-03 18:08:12 EDT
With selinux-policy-strict-1.17.26-1, I now get:

Oct  3 17:09:28 imp kernel: audit(1096841368.526:0): avc:  denied  {
read } for  pid=5685 exe=/sbin/consoletype path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Oct  3 17:09:28 imp kernel: audit(1096841368.558:0): avc:  denied  {
read } for  pid=5686 exe=/usr/sbin/postalias path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Oct  3 17:09:28 imp kernel: audit(1096841368.595:0): avc:  denied  {
write } for  pid=5686 exe=/usr/sbin/postalias name=aliases.db dev=dm-0
ino=327759 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:etc_aliases_t tclass=file
Oct  3 17:09:29 imp kernel: audit(1096841369.603:0): avc:  denied  {
read } for  pid=5687 exe=/usr/sbin/postfix path=pipe:[11205]
dev=pipefs ino=11205 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_fileOct  3 17:09:30 imp
postfix:  succeeded
Comment 4 W. Michael Petullo 2004-10-20 22:21:55 EDT
With selinux-policy-strict-1.17.30-2, I now get:

Oct 20 21:23:11 imp kernel: audit(1098325391.124:0): avc:  denied  {
write } for  pid=26747 exe=/usr/sbin/postalias name=aliases.db
dev=dm-0 ino=327759 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:etc_aliases_t tclass=file
Oct 20 21:23:11 imp kernel: audit(1098325391.309:0): avc:  denied  {
read } for  pid=26751 exe=/bin/ls name=config dev=dm-0 ino=315075
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Oct 20 21:23:11 imp kernel: audit(1098325391.310:0): avc:  denied  {
getattr } for  pid=26751 exe=/bin/ls path=/etc/selinux/config dev=dm-0
ino=315075 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:selinux_config_t tclass=file
Oct 20 21:23:12 imp kernel: audit(1098325392.206:0): avc:  denied  {
getattr } for  pid=26762 exe=/bin/bash
path=/usr/share/man/man1/mailq.postfix.1.gz dev=dm-0 ino=81854
scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:man_t tclass=file
Comment 5 Daniel Walsh 2004-11-06 02:03:34 EST
With selinux-policy-strict-1.18.1 in Enforcing mode you should not be
seeing these messages any longer.
Comment 6 W. Michael Petullo 2004-11-07 20:43:38 EST
Mail seems to go through with selinux-policy-strict-1.18.1.

I still get AVC errors, but they don't seem to affect mail delivery. 
I set the bug to resolved but will document the remaining
(unimportant?) errors here:

When stopping postfix:

Nov  7 19:36:26 imp kernel: audit(1099877786.938:0): avc:  denied  {
read } for  pid=17639 exe=/sbin/consoletype path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:36:27 imp kernel: audit(1099877787.027:0): avc:  denied  {
read } for  pid=17640 exe=/usr/sbin/postfix path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file

When starting postfix:

Nov  7 19:38:54 imp kernel: audit(1099877934.587:0): avc:  denied  {
read } for  pid=18630 exe=/sbin/consoletype path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:consoletype_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:38:54 imp kernel: audit(1099877934.671:0): avc:  denied  {
read } for  pid=18633 exe=/usr/sbin/postalias path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov  7 19:38:54 imp kernel: audit(1099877934.703:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.704:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.704:0): avc:  denied  {
search } for  pid=18633 exe=/usr/sbin/postalias name=tmp dev=dm-0
ino=195457 scontext=root:system_r:postfix_master_t
tcontext=system_u:object_r:tmp_t tclass=dir
Nov  7 19:38:54 imp kernel: audit(1099877934.721:0): avc:  denied  {
read } for  pid=18634 exe=/usr/sbin/postfix path=pipe:[20453]
dev=pipefs ino=20453 scontext=root:system_r:postfix_master_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file

When processing outgoing mail:

Nov  7 19:40:18 imp kernel: audit(1099878018.215:0): avc:  denied  {
connect } for  pid=18964 exe=/usr/sbin/xinetd laddr=127.0.0.1
lport=33392 scontext=system_u:system_r:inetd_t
tcontext=system_u:system_r:inetd_t tclass=tcp_socket
Nov  7 19:40:18 imp kernel: audit(1099878018.283:0): avc:  denied  {
ioctl } for  pid=18964 exe=/usr/sbin/stunnel path=/dev/urandom
dev=tmpfs ino=1881 scontext=system_u:system_r:inetd_child_t
tcontext=system_u:object_r:urandom_device_t tclass=chr_file

Note You need to log in before you can comment on or make changes to this bug.