1514868 – selinux prevents newaliases from accessing postfix_etc_t directories

Bug 1514868 - selinux prevents newaliases from accessing postfix_etc_t directories

Summary: selinux prevents newaliases from accessing postfix_etc_t directories

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1516523 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-19 02:02 UTC by Scott Shambarger
Modified:	2018-01-29 20:34 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.17.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 23:53:09 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Scott Shambarger 2017-11-19 02:02:16 UTC

Description of problem:
type=AVC msg=audit(11/18/2017 17:50:22.190:182) : avc:  denied  { read } for  pid=1330 comm=newaliases name=dynamicmaps.cf.d dev="dm-0" ino=2099156 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=dir permissive=0 

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Caused when starting postfix (which updates the alias.db file):

aliasesdb[7045]: newaliases: warning: /etc/postfix/dynamicmaps.cf.d: directory open failed: Permission denied

Adding the following policy allowed access:

allow sendmail_t postfix_etc_t:dir read;

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-283.14.fc27.noarch
postfix-3.2.4-1.fc27.x86_64

Comment 1 Fedora Update System 2017-11-22 08:54:07 UTC

selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 2 Adam Williamson 2017-11-22 20:17:40 UTC

*** Bug 1516523 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2017-11-22 21:40:45 UTC

selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9

Comment 4 Scott Shambarger 2017-11-23 00:51:35 UTC

Appears fixed in latest build, adding karma!

Comment 5 Fedora Update System 2017-11-28 23:53:09 UTC

selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.