Description of problem: I have avc denials in audit log about postfix_pipe_t trying to use execute_no_trans to execute my shell script (labeled to custom se domain), while I do have proper domain_auto_trans(postfix_pipe_t,...) for it. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.43-4.fc5 How reproducible: For my installation it is 100% reproducible. Steps to Reproduce: 1. Create custom module (mine is ql_spamassassin) with: type ql_spamassassin_client_exec_t; files_type(ql_spamassassin_client_exec_t) type ql_spamassassin_client_t; domain_type(ql_spamassassin_client_t) domain_entry_file(ql_spamassassin_client_t,ql_spamassassin_client_exec_t) domain_auto_trans(postfix_pipe_t,ql_spamassassin_client_exec_t,ql_spamassassin_client_t) 2. Label a shell script in /usr/local/sbin/ as ql_spamassassin_client_exec_t. 3. Create pipe-based transport in /etc/postfix/master.cf that uses that script. 4. Send an email so that it would go through that pipe transport Actual results: Postfix pipe tries to execute the script with `execute_no_trans' rather than `execute' with further automatic domain transition and hence fails: type=AVC msg=audit(1150291179.693:6367): avc: denied { execute_no_trans } forpid=21379 comm="pipe" name="PostFix.mail.SpamAssassin.spamfilter.sh" dev=md9 ino=56842 scontext=root:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:ql_spamassassin_client_exec_t:s0 tclass=file Expected results: SElinux should allow postfix_pipe_t execute the ql_spamassassin_client_exec_t labeled script with automayic process domain transition to ql_spamassassin_client_t. Additional info: I have tried to ask about it on fedora-selinux-list, but got no answer, so I guess this is a bug rather than a feature.
Try using audit2why on the avc message. I believe you are missing a role transition role system_r types ql_spamassassin_client_t;
BTW, bring this up for discussion on Fedora-SELinux-List