Bug 221347 - SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t).
SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "getattr" ...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-03 18:09 EST by Matěj Cepl
Modified: 2009-11-18 04:31 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 04:31:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
export from setroubleshootd (2.16 KB, text/plain)
2007-01-03 18:09 EST, Matěj Cepl
no flags Details
/var/log/audit/audit.log (1.77 MB, text/plain)
2008-11-24 16:16 EST, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2007-01-03 18:09:26 EST
Description of problem:
see attached report from setroubleshootd. When trying to send testing message
from freshly installed thunderbird to sendmail on localhost via SMTP to port 25
I got AVC denial. I have no idea, why postfix should want to write to /boot and
moreover, postfix works flawlessly with evolution on the same computer (albeit
in "/usr/sbin/sendmail" mode, not via SMTP).

Version-Release number of selected component (if applicable):
postfix-2.3.3-2
selinux-policy-targeted-2.4.6-13.fc6
libselinux-1.33.2-3.fc6
selinux-policy-2.4.6-13.fc6

How reproducible:
100% (tried twice so far)

Steps to Reproduce:
1.set up thunderbird to send emails to local postfix (SMTP port 25)
2.send email
3.
  
Actual results:
email seems to be sent, but AVC denial happens

Expected results:
no fuss about sending email

Additional info:
Comment 1 Matěj Cepl 2007-01-03 18:09:26 EST
Created attachment 144750 [details]
export from setroubleshootd
Comment 2 Matěj Cepl 2007-01-12 08:27:11 EST
With updated system, I am not able to reproduce this again. Sorry for bothering.
Comment 3 Mark Knoop 2007-01-15 14:15:38 EST
This is a duplicate of bug 215722. I am still experiencing this bug - see my
comments there.
Comment 4 Matěj Cepl 2007-01-16 06:09:23 EST
Actually, I was mistaken, this bug still alive and kicking (on Fedora, RHEL
seems to be OK so far), but instead of /boot problems are in different
directories. Exactly, what bug 215722 describes.

*** This bug has been marked as a duplicate of 215722 ***
Comment 5 Matěj Cepl 2008-11-24 16:08:25 EST
I am sorry, but I have to reopen this beauty. Using freshly upgraded F10 to F10-updates and switching the principal user of this computer to staff_u (I don't any of this should be relevant, but just to be complete) and I get this on the restart of the computer:


Souhrn:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t).

Podrobný popis:

SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /boot,

restorecon -v '/boot'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:postfix_smtpd_t
Kontext cíle                 system_u:object_r:boot_t
Objekty cíle                 /boot [ dir ]
Zdroj                         smtpd
Cesta zdroje                  /usr/libexec/postfix/smtpd
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          postfix-2.5.5-2.fc10
RPM balíčky cíle           filesystem-2.4.19-1.fc10
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           3
Poprvé viděno               Po 24. listopad 2008, 21:53:09 CET
Naposledy viděno             Po 24. listopad 2008, 21:58:21 CET
Místní ID                   6c8d8e04-6693-4e0e-9536-2042dd81de28
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227560301.613:27): avc:  denied  { getattr } for  pid=3593 comm="smtpd" path="/boot" dev=sda1 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=viklef type=SYSCALL msg=audit(1227560301.613:27): arch=40000003 syscall=195 success=no exit=-13 a0=bfcd9376 a1=bfcd976c a2=81eff4 a3=bfcd937c items=0 ppid=2569 pid=3593 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

===========================================================
and yet another one:


Souhrn:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t).

Podrobný popis:

SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home,

restorecon -v '/home'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:postfix_smtpd_t
Kontext cíle                 system_u:object_r:home_root_t
Objekty cíle                 /home [ dir ]
Zdroj                         smtpd
Cesta zdroje                  /usr/libexec/postfix/smtpd
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          postfix-2.5.5-2.fc10
RPM balíčky cíle           filesystem-2.4.19-1.fc10
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           3
Poprvé viděno               Po 24. listopad 2008, 21:53:09 CET
Naposledy viděno             Po 24. listopad 2008, 21:58:21 CET
Místní ID                   a314cba1-c555-4072-8d06-5157e7b5f370
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227560301.613:28): avc:  denied  { getattr } for  pid=3593 comm="smtpd" path="/home" dev=dm-5 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

node=viklef type=SYSCALL msg=audit(1227560301.613:28): arch=40000003 syscall=195 success=no exit=-13 a0=bfcd937d a1=bfcd976c a2=81eff4 a3=bfcd9383 items=0 ppid=2569 pid=3593 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

===========================================================

If we are talking about the same bug, then I think you need to know also the list of my partitions

[matej@viklef ~]$ mount
/dev/mapper/vg00-lvRoot on / type ext4 (rw)
/proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
/dev/mapper/home on /home type ext3 (rw)
tmpfs on /tmp type tmpfs (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
gvfs-fuse-daemon on /home/matej/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=matej)
[matej@viklef ~]$
Comment 6 Matěj Cepl 2008-11-24 16:10:20 EST
And yes, comment 3 is probably right -- there is more information available in the bug 215722 including some of my attempts to understand what's going and interview with folks on #postfix IRC channel.
Comment 7 Matěj Cepl 2008-11-24 16:16:07 EST
Created attachment 324539 [details]
/var/log/audit/audit.log

Some explanation of what's going on is IMHO in attachment 154182 [details].
Comment 8 Matěj Cepl 2008-11-24 16:53:32 EST
Testing this module:

policy_module(mypostfix, 1.1)
require{ type postfix_smtpd_t;}
fs_getattr_all_dirs(postfix_smtpd_t)

and let's see what happens.
Comment 9 Matěj Cepl 2008-11-24 18:55:30 EST
Still generating AVC denials like this:


Souhrn:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t).

Podrobný popis:

SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home,

restorecon -v '/home'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:postfix_smtpd_t
Kontext cíle                 system_u:object_r:home_root_t
Objekty cíle                 /home [ dir ]
Zdroj                         smtpd
Cesta zdroje                  /usr/libexec/postfix/smtpd
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          postfix-2.5.5-2.fc10
RPM balíčky cíle           filesystem-2.4.19-1.fc10
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           4
Poprvé viděno               Po 24. listopad 2008, 23:23:38 CET
Naposledy viděno             Po 24. listopad 2008, 23:23:41 CET
Místní ID                   67fc43ed-cb35-4fde-8fc5-92770cd197c9
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227565421.734:212): avc:  denied  { getattr } for  pid=5564 comm="smtpd" path="/home" dev=dm-5 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

node=viklef type=SYSCALL msg=audit(1227565421.734:212): arch=40000003 syscall=195 success=no exit=-13 a0=bfd07bad a1=bfd07f9c a2=81eff4 a3=bfd07bb3 items=0 ppid=2569 pid=5564 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
Comment 10 Matěj Cepl 2008-11-24 18:58:37 EST
Trying to add

fs_getattr_all_fs(postfix_smtpd_t)

to the module and let's see what happens.
Comment 11 Matěj Cepl 2008-11-24 19:46:21 EST
In hopeless attempt to avoid AVC denials throwing output of audit2allow to the mix as well:

policy_module(mypostfix, 1.3)
require{
	type postfix_smtpd_t;
	type boot_t;
	type home_root_t;
	class dir getattr;
}
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)

allow postfix_smtpd_t boot_t:dir getattr;
allow postfix_smtpd_t home_root_t:dir getattr;
Comment 12 Matěj Cepl 2008-11-24 19:47:10 EST
and now it seems to be gone
Comment 13 Daniel Walsh 2008-11-25 08:38:47 EST
Fixed in selinux-policy-3.5.13-25.fc10
Comment 14 Bug Zapper 2008-11-25 20:52:10 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Matěj Cepl 2008-11-26 08:30:27 EST
When I remove my module and upgrade selinux-policy to selinux-policy-targeted-3.5.13-26.fc10.noarch AVC denials are back.
Comment 16 Daniel Walsh 2008-11-27 06:34:32 EST
Please attach the current avc messages.
Comment 17 brianchad@westnet.com.au 2009-03-01 20:41:20 EST
Hi,

This is happening after the last round of F10 updates involving postfix.

postfix-2.5.6-1.fc10.i386.rpm

selinux-policy-targeted-3.5.13-45.fc10.noarch.rpm


Summary:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /boot,

restorecon -v '/boot'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:boot_t:s0
Target Objects                /boot [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          admin.brianac.com.au
Source RPM Packages           postfix-2.5.6-1.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     admin.brianac.com.au
Platform                      Linux admin.brianac.com.au
                             2.6.27.15-170.2.24.fc10.i686.PAE #1 SMP Wed Feb 11
                             23:35:37 EST 2009 i686 athlon
Alert Count                   294
First Seen                    Thu 26 Feb 2009 20:46:08 EST
Last Seen                     Mon 02 Mar 2009 10:46:05 EST
Local ID                      cbf2bcef-ae64-4d65-bd35-e8226a7d35a1
Line Numbers                
Raw Audit Messages          
node=admin.brianac.com.au type=AVC msg=audit(1235954765.372:3918): avc:  denied  { getattr } for  pid=11567 comm="smtpd" path="/boot" dev=sda2 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=admin.brianac.com.au type=SYSCALL msg=audit(1235954765.372:3918): arch=40000003 syscall=195 success=yes exit=0 a0=bfe00176 a1=bfe0056c a2=811ff4 a3=bfe0017c items=0 ppid=2421 pid=11567 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
Comment 18 Daniel Walsh 2009-03-02 12:08:03 EST
Miroslav, add

	files_search_all_mountpoints(postfix_$1_t)

to

postfix_domain_template

In postfix.if

Looks like postfix wants to search all the directories that are mounted on.
Comment 19 Miroslav Grepl 2009-03-06 08:11:12 EST
Fixed in selinux-policy-3.5.13-48.fc10
Comment 20 Dave Oksner 2009-03-09 15:55:52 EDT
Is this also going to be fixed in EL5?  I'm seeing what appears to be the same problem with selinux-policy-2.4.6-203.el5
Comment 21 Daniel Walsh 2009-03-09 17:44:26 EDT
Check out 5.4 preview policy on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

It should be in there.
Comment 22 Dave Oksner 2009-03-09 19:15:39 EDT
Thank you; that appears to have cleared up my problem.  This being the second time you've had the fix in that directory, perhaps I'll try to remember to check there, first.  ;-)
Comment 23 Daniel Walsh 2009-03-10 09:28:21 EDT
If we see a problem in Fedora that will effect RHEL5 we will back port the fix and put it into the next RHEL Update release.
Comment 24 Bug Zapper 2009-11-18 03:10:23 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.