Bug 215899 - SELinux is preventing /usr/sbin/postmap (postfix_map_t) "search" to nscd (nscd_var_run_t).
Summary: SELinux is preventing /usr/sbin/postmap (postfix_map_t) "search" to nscd (nsc...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-16 09:54 UTC by Matěj Cepl
Modified: 2018-04-11 08:09 UTC (History)
1 user (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2007-08-22 14:13:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2006-11-16 09:54:18 UTC
Description of problem:


Version-Release number of selected component (if applicable):
When running postmap on /etc/postfix/transport I get this SELinux denial:

avc: denied { search } for comm='"postmap"' dev='dm-1' egid='0' euid='0'
exe='"/usr/sbin/postmap"' exit='-13' fsgid='0' fsuid='0' gid='0' items='0'
name='"nscd"' pid='10332' scontext=user_u:system_r:postfix_map_t:s0 sgid='0'
subj='user_u:system_r:postfix_map_t:s0' suid='0' tclass='dir'
tcontext=system_u:object_r:nscd_var_run_t:s0 tty='(none)' uid='0' 

How reproducible:
100%

Steps to Reproduce:
1.change /etc/postfix/transport
2.run this Makefile

%.db : %
        postmap $<

DBASES = sasl_passwd.db sender_canonical.db tls_servers.db transport.db virtual.db

all: $(DBASES)
        postfix reload
        postfix check

clean:
        rm $(DBASES)

3. setroubleshoot baloon will pop up
  
Actual results:
.db file is created, but SELinux denial is reported as well (I am not sure, what
exact consequences it has for usability of postfix, when the .db file is really
creaeted).

Expected results:
There should be no SELinux issue

Additional info:

Comment 1 Matěj Cepl 2006-11-16 09:57:40 UTC
Moreover, the content of .db file seems to be correct:

Python 2.4.4 (#1, Oct 23 2006, 13:58:00) 
[GCC 4.1.1 20061011 (Red Hat 4.1.1-30)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import anydbm
>>> d=anydbm.open("transport.db","r")
>>> d
{'redhat.com\x00': 'smtp:[pobox.stuttgart.redhat.com]\x00', '.vysocina\x00':
':\x00', '*\x00': 'smtp:[smtp.seznam.cz:995]\x00', 'localhost\x00': ':\x00'}
>>>

Comment 2 Daniel Walsh 2006-11-17 19:19:59 UTC
Fixed in  selinux-policy-2.4.5-1

Comment 3 Daniel Walsh 2007-08-22 14:13:59 UTC
Fixed in current release


Note You need to log in before you can comment on or make changes to this bug.