From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.0.6-1.2.fc4 Firefox/1.0.6 Description of problem: Hi, I'm upgraded a fc4 machine to the lastest updates, and when I reboot the machine, the postfix daemon don't start, that was because /etc/aliases* were mislabeled and with restorecon I fix them. but postfix was unable to receive any email because selinux was denying some accesses, my configuration fc4 all updated to 09-24-2005, postfix using procmail as delivery agent and spamassassin Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.1-2.1 How reproducible: Always Steps to Reproduce: 1.install or update to selinux-policy-targeted-1.27.1-2.1 2. use daemon postfix as mailer daemon 3. Actual Results: I waslossing my email Additional info: type=AVC msg=audit(1127588266.774:19): avc: denied { read } for pid=2889 comm="pickup" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_pickup_t tcontext=system_u:object_r:cert_t tclass=file type=AVC msg=audit(1127588277.090:31): avc: denied { read } for pid=3033 comm="proxymap" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:cert_t tclass=file type=AVC msg=audit(1127588277.104:33): avc: denied { read } for pid=3032 comm="smtpd" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:cert_t tclass=file type=AVC msg=audit(1127588277.227:37): avc: denied { read } for pid=3036 comm="trivial-rewrite" name="CA.crt" dev=dm-0 ino=62304 scontext=system_u:system_r:postfix_master_t tcontext=system_u:object_r:cert_t tclass=file type=AVC msg=audit(1127588277.229:39): avc: denied { getattr } for pid=3032 comm="smtpd" name="/" dev=md0 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:boot_t tclass=dir type=AVC msg=audit(1127588277.229:40): avc: denied { getattr } for pid=3032 comm="smtpd" name="/" dev=dm-1 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1127608152.949:1445): avc: denied { execute } for pid=9679 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1127608153.973:1446): avc: denied { search } for pid=9680 comm="bounce" name="pki" dev=dm-0 ino=59052 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:cert_t tclass=dir type=AVC msg=audit(1127608153.973:1447): avc: denied { read } for pid=9680 comm="bounce" name="urandom" dev=tmpfs ino=1321 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file type=AVC msg=audit(1127608153.973:1448): avc: denied { read } for pid=9680 comm="bounce" name="random" dev=tmpfs ino=1319 scontext=root:system_r:postfix_bounce_t tcontext=system_u:object_r:random_device_t tclass=chr_file type=AVC msg=audit(1127609630.377:1624): avc: denied { read } for pid=11004 comm="local" name="cert.pem" dev=dm-0 ino=59209 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:cert_t tclass=lnk_file type=AVC msg=audit(1127609280.973:1593): avc: denied { execute_no_trans } for pid=10764 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1127609630.393:1625): avc: denied { read } for pid=11005 comm="local" name="procmail" dev=dm-3 ino=554658 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1127671984.140:4362): avc: denied { getattr } for pid=23772 comm="bash" name="formail" dev=dm-3 ino=554655 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:bin_t tclass=file type=AVC msg=audit(1127609807.543:1648): avc: denied { search } for pid=11220 comm="procmail" name="spamassassin" dev=dm-0 ino=60669 scontext=root:system_r:postfix_local_t tcontext=system_u:object_r:etc_mail_t tclass=dir
Created attachment 119239 [details] selinux rules to allow postfix to work also I have nscd don't working I have to add the first two rules to fix it, I don't write about it in the bug report, but when I see the local.te I remember it
Created attachment 119241 [details] supercedes the first local.te I sent, because the first files is missing some rules
Fixed in selinux-policy-targeted-1.27.1-2.3
I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases file in a users home directory. Postfix won't start with 'service postfix start' but will start with /usr/sbin/postfix start. I get the following audit messages type=AVC msg=audit(1127900117.911:87647): avc: denied { search } for pid=31585 comm="postalias" name="/" dev=dm-2 ino=2 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias" type=CWD msg=audit(1127900117.911:87647): cwd="/" type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases" flags=101 inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 I have the following file permissions # ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases drwxr-xr-x root root system_u:object_r:root_t / drwxr-xr-x root root system_u:object_r:home_root_t /home drwxrwsr-x mud mud user_u:object_r:user_home_dir_t /home/mud drwxrwsr-x mud mud user_u:object_r:user_home_t /home/mud/etc -rw-rw-r-- mud mud system_u:object_r:etc_aliases_t /home/mud/etc/aliases The audit2allow command recommends the following # audit2allow -l -i audit.log allow postfix_master_t home_root_t:dir search; allow postfix_master_t unconfined_t:process signal;
(In reply to comment #3) > Fixed in selinux-policy-targeted-1.27.1-2.3 > I downloaded it from testing-updates and I'm able to receive my emails, I restarted the postfix daemon to be sure of any AVC messages, but none show up, well only about search winbind_var_run_t, but don't have any ill effects from that AVCs so it's fixed thanks
(In reply to comment #4) > I have a similar problem - I'm using 1.27.1-2.2, and I have a second aliases > file in a users home directory. Postfix won't start with 'service postfix start' > but will start with /usr/sbin/postfix start. I get the following audit messages > > type=AVC msg=audit(1127900117.911:87647): avc: denied { search } for > pid=31585 comm="postalias" name="/" dev=dm-2 ino=2 > scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:home_root_t > tclass=dir > type=SYSCALL msg=audit(1127900117.911:87647): arch=40000003 syscall=5 success=no > exit=-13 a0=bfca3f60 a1=0 a2=0 a3=bfca2f54 items=1 pid=31585 auid=501 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" > exe="/usr/sbin/postalias" > type=CWD msg=audit(1127900117.911:87647): cwd="/" > type=PATH msg=audit(1127900117.911:87647): item=0 name="/home/mud/etc/aliases" > flags=101 inode=2 dev=fd:02 mode=040755 ouid=0 ogid=0 rdev=00:00 > > I have the following file permissions > > # ls -ldZ / /home /home/mud /home/mud/etc /home/mud/etc/aliases > drwxr-xr-x root root system_u:object_r:root_t / > drwxr-xr-x root root system_u:object_r:home_root_t /home > drwxrwsr-x mud mud user_u:object_r:user_home_dir_t /home/mud > drwxrwsr-x mud mud user_u:object_r:user_home_t /home/mud/etc > -rw-rw-r-- mud mud system_u:object_r:etc_aliases_t /home/mud/etc/aliases > > The audit2allow command recommends the following > # audit2allow -l -i audit.log > allow postfix_master_t home_root_t:dir search; > allow postfix_master_t unconfined_t:process signal; You can try the 1.27.1-2.3 version, but I'm almost sure you will have to add some rules you will need install selinux-policy-targeted-sources and edit /etc/selinux/targeted/src/policy/domains/misc/local.te and after that move to /etc/selinux/targeted/src/policy/domains/ and type make load
The goal with SELinux is to protect the userspace from the system space, so allowing postfix to read users home directories is not something we want to do, or if we do allow it, it would need a boolean.
I installed selinux-policy-targeted-1.27.1-2.3 in a Thinkpad, it was running 1.25 but I tried to restart postfix with service postfix restart three times and all of them reported [Failed] in audit.log I found this type=AVC msg=audit(1127938138.969:57): avc: denied { signal } for pid=9283 co mm="postfix-script" scontext=system_u:system_r:postfix_master_t tcontext=system_ u:system_r:initrc_t tclass=process I don't touch the policy and rebooted the machine, and postfix started well, my question is I have to restart the machine always after update the selinux-policy? thanks in advance
No you should not need to reboot the machine. I am not sure what caused this problem.