Bug 234773 - SELinux - allow Postfix smtpd access to Mailman aliases
SELinux - allow Postfix smtpd access to Mailman aliases
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-01 16:30 EDT by Anthony Messina
Modified: 2008-04-07 22:21 EDT (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-07 22:21:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2007-04-01 16:30:50 EDT
Description of problem:
Using Postfix, Mailman and SELinux together, I am unable to get Postfix's smtpd
process to read the Mailman aliases or aliases.db in /etc/mailman.

The selinux file type of aliases and aliases.db is mailman_data_t.

Version-Release number of selected component (if applicable):
libselinux-1.33.4-2.fc6
selinux-policy-2.4.6-46.fc6
libselinux-python-1.33.4-2.fc6
selinux-policy-targeted-2.4.6-46.fc6


How reproducible:
Every time.

Steps to Reproduce:
1. Have postfix set up to validate users using /etc/aliases and /etc/mailman/aliases
2. Receive and email
3. Watch audit.log
  
Actual results:
type=AVC msg=audit(1175458758.616:25054): avc:  denied  { search } for 
pid=27704 comm="smtpd" name="mailman" dev=sda2 ino=6424095
scontext=root:system_r:postfix_smtpd_t:s0
tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir
type=AVC msg=audit(1175458758.616:25054): avc:  denied  { read } for  pid=27704
comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
scontext=root:system_r:postfix_smtpd_t:s0
tcontext=root:object_r:mailman_data_t:s0 tclass=file
type=AVC msg=audit(1175458758.616:25055): avc:  denied  { lock } for  pid=27704
comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
scontext=root:system_r:postfix_smtpd_t:s0
tcontext=root:object_r:mailman_data_t:s0 tclass=file
type=AVC msg=audit(1175458781.810:25061): avc:  denied  { getattr } for 
pid=27704 comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
scontext=root:system_r:postfix_smtpd_t:s0
tcontext=root:object_r:mailman_data_t:s0 tclass=file


Expected results:
Perhaps a boolean (or some other method) should exist to allow Postfix AND
Mailman to access these files.  postfix_access_mailman_aliases

Additional info:
I am currently running in permissive mode becausse of this (and two other things).
Comment 1 Daniel Walsh 2007-04-05 13:49:41 EDT
Fixed in selinux-policy-2.4.6-52.fc6
Comment 2 Anthony Messina 2007-04-05 14:33:47 EDT
Thanks, Dan.  When you say that it is fixed in the future policy, was this
something that you guys were already working on, or did this bug report prompt
you to take a look at it?  I only ask becasue I searched quite a bit for a
resolution to this prior to posting this bug report and couldn't find a solution.
Comment 3 Daniel Walsh 2007-04-09 10:48:53 EDT
The bug report promted me to work on it.  It is pretty difficult to anticipate
all possible ways an app will run, so we rely on bugreports and mail lists to
help fix selinux problems.  THanks for submitting the bug report.
Comment 4 John Villalovos 2007-05-23 01:45:53 EDT
Is this something that is going to get pushed out the RHEL5 too?

I ended up making a module using audit2allow

postfixmailman.te:
module postfixmailman 1.0;

require {
        class dir { add_name remove_name search write };
        class file { create getattr lock read rename write };
        type mailman_data_t;
        type postfix_cleanup_t;
        type postfix_map_t;
        role system_r;
};

allow postfix_cleanup_t mailman_data_t:dir search;
allow postfix_map_t mailman_data_t:dir { add_name remove_name search write };
allow postfix_map_t mailman_data_t:file { create getattr lock read rename write };
Comment 5 Daniel Walsh 2007-05-23 13:15:01 EDT
Yes all most bug fixes for FC6 should show up in the u1 release.

Preview is available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 6 F 2007-10-16 09:58:06 EDT
Not sure if it is the same problem, but I am unable to update /etc/aliases.db 
in RHEL5 logged in as root with neither "newaliases" 
or "postalias /etc/aliases". It gives the error:
postalias: fatal: open /etc/aliases.db: Permission denied

-rw-r-----  1 root  smmsp  12K Oct 16 08:11 aliases.db
Comment 7 Daniel Walsh 2007-10-17 00:21:37 EDT
Did you try the u1 release?
Comment 8 F 2007-10-17 10:02:46 EDT
We have all the latest updates installed from the default distro which is the 
only one our host provides access through their redhat licence.
Comment 9 Daniel Walsh 2007-10-17 13:39:45 EDT
Well I believe this is fixed in the u1 update which should be hitting the
streates at any moment.

If you would like to customize your policy to allow this as root you can execute


grep alias /var/log/audit/audit.log | audit2allow -M myalias
semodule -i myalias.pp
Comment 10 Bug Zapper 2008-04-04 02:44:12 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Note You need to log in before you can comment on or make changes to this bug.