Bug 195018 - domain_auto_trans(postfix_pipe_t,...) doesn't work as it should(?)
domain_auto_trans(postfix_pipe_t,...) doesn't work as it should(?)
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-06-14 09:43 EDT by QingLong
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-15 10:58:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description QingLong 2006-06-14 09:43:15 EDT
Description of problem:
I have avc denials in audit log about postfix_pipe_t trying to use
execute_no_trans to execute my shell script (labeled to custom se domain),
while I do have proper domain_auto_trans(postfix_pipe_t,...) for it.

Version-Release number of selected component (if applicable):

How reproducible:
For my installation it is 100% reproducible.

Steps to Reproduce:
1. Create custom module (mine is ql_spamassassin) with:
      type ql_spamassassin_client_exec_t;
      type ql_spamassassin_client_t;
2. Label a shell script in /usr/local/sbin/ as ql_spamassassin_client_exec_t.
3. Create pipe-based transport in /etc/postfix/master.cf that uses that script.
4. Send an email so that it would go through that pipe transport
Actual results:
Postfix pipe tries to execute the script with `execute_no_trans' rather than
`execute' with further automatic domain transition and hence fails:
type=AVC msg=audit(1150291179.693:6367): avc:  denied  { execute_no_trans }
forpid=21379 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9
ino=56842 scontext=root:system_r:postfix_pipe_t:s0
tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file

Expected results:
SElinux should allow postfix_pipe_t execute the ql_spamassassin_client_exec_t
labeled script with automayic process domain transition to ql_spamassassin_client_t.

Additional info:
I have tried to ask about it on fedora-selinux-list@redhat.com,
but got no answer, so I guess this is a bug rather than a feature.
Comment 1 Daniel Walsh 2006-06-15 10:58:18 EDT
Try using audit2why on the avc message.  I believe you are missing a role transition

role system_r types ql_spamassassin_client_t;

Comment 2 Daniel Walsh 2006-06-15 17:16:57 EDT
BTW, bring this up for discussion on Fedora-SELinux-List

Note You need to log in before you can comment on or make changes to this bug.