Bug 2255775 - SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
Summary: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 40
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-24 21:05 UTC by mark preston
Modified: 2024-07-19 01:45 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-40.24-1.fc40
Clone Of:
Environment:
Last Closed: 2024-07-19 01:45:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2230 0 None open Allow postfix-smtpd read mysql config files 2024-07-12 15:04:27 UTC

Description mark preston 2023-12-24 21:05:49 UTC 
messages getting  logged:

2023-12-24T00:00:07.708598-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf. For complete SELinux messages run: sealert -l 5d405514-2351-41a9-89ee-e44de33677f6

2023-12-24T00:00:07.747543-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from getattr access on the file /etc/my.cnf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that smtpd should be allowed getattr access on the my.cnf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd#012# semodule -X 300 -i my-smtpd.pp#012

2023-12-24T00:00:07.809321-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d. For complete SELinux messages run: sealert -l f32c69a4-53dd-4513-8358-4228369f5563

2023-12-24T00:00:07.838495-05:00 mail setroubleshoot[9972]: SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that smtpd should be allowed search access on the my.cnf.d directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd#012# semodule -X 300 -i my-smtpd.pp#012

The issue seems to be these two:
SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d

I've had SElinux complain for years about it denying smtpd  getattr/read access on /etc/my.cnf
recently and i'm not sure when it started it now complains about denying search on /etc/my.cnf.d

postfix is configured to use mysql and it works well. however it is annoying to get this message logged over and over.  I don't have anything in my.cnf or the dir but if i did then smtpd would need access to those.   I think the SELinux config for postfix should include access to these objects.   My guess it was over looked.  I can't find any know bugs open on this so i'm opening this one. 


Reproducible: Always

Steps to Reproduce:
1.have a system with SELinux installed
2.install postfix and configure it to use mysql/mariadb for maps/auth/alias or other things of that nature
3.this will get logged when smtpd process email
Actual Results:  
SELinux is preventing smtpd from getattr access on the file /etc/my.cnf
SELinux is preventing smtpd from search access on the directory /etc/my.cnf.d

Expected Results:  
smtpd should have read access to the mysql/mariadb config files has it does use sql

let me know if you need any additional info.  This has been going on for years and I finally got around to filing a bug on it.
Comment 1 Jaroslav Škarvada 2024-01-02 19:20:40 UTC 
Reassigning to selinux.
Comment 2 mark preston 2024-07-08 18:38:48 UTC 
why is this not getting any traction?  it is still an issue in FC40
Comment 3 Zdenek Pytela 2024-07-09 15:48:04 UTC 
Unfortunately, there are data missing in the report, especially audit logs or journal. Can you try the following steps?

# cat local_postfix_mysql.cil
(allow postfix_smtpd_t mysqld_etc_t (dir (search)))
(allow postfix_smtpd_t mysqld_etc_t (file (getattr)))
# semodule -i local_postfix_mysql.cil
# setenforce 0
<reproduce, restart the service)
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
# setenforce 1
Comment 4 mark preston 2024-07-11 13:32:56 UTC 
I hope this helps. Sorry but i did a reboot before the issue repeated and forgot the selinux state reset.

root@mail #  ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
q_depth should be larger than 512 for safety margin
----
type=AVC msg=audit(07/11/2024 01:30:01.035:4609) : avc:  denied  { read } for  pid=129400 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 01:30:01.035:4610) : avc:  denied  { open } for  pid=129400 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:31:06.604:4667) : avc:  denied  { read } for  pid=129674 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:31:06.604:4668) : avc:  denied  { open } for  pid=129674 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:36:02.832:4673) : avc:  denied  { read } for  pid=129713 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:36:02.832:4674) : avc:  denied  { open } for  pid=129713 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:37:07.736:4679) : avc:  denied  { read } for  pid=129713 comm=smtpd name=my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(07/11/2024 03:37:07.736:4680) : avc:  denied  { open } for  pid=129713 comm=smtpd path=/etc/my.cnf dev="vda5" ino=67157645 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file permissive=1
Comment 5 Zdenek Pytela 2024-07-12 15:04:27 UTC 
Thank you.
Comment 6 Fedora Update System 2024-07-17 16:15:20 UTC 
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc
Comment 7 Fedora Update System 2024-07-18 04:59:06 UTC 
FEDORA-2024-f30b2bffdc has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f30b2bffdc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f30b2bffdc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2024-07-19 01:45:59 UTC 
FEDORA-2024-f30b2bffdc (selinux-policy-40.24-1.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.