Description of problem: Using Postfix, Mailman and SELinux together, I am unable to get Postfix's smtpd process to read the Mailman aliases or aliases.db in /etc/mailman. The selinux file type of aliases and aliases.db is mailman_data_t. Version-Release number of selected component (if applicable): libselinux-1.33.4-2.fc6 selinux-policy-2.4.6-46.fc6 libselinux-python-1.33.4-2.fc6 selinux-policy-targeted-2.4.6-46.fc6 How reproducible: Every time. Steps to Reproduce: 1. Have postfix set up to validate users using /etc/aliases and /etc/mailman/aliases 2. Receive and email 3. Watch audit.log Actual results: type=AVC msg=audit(1175458758.616:25054): avc: denied { search } for pid=27704 comm="smtpd" name="mailman" dev=sda2 ino=6424095 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir type=AVC msg=audit(1175458758.616:25054): avc: denied { read } for pid=27704 comm="smtpd" name="aliases.db" dev=sda2 ino=6424286 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file type=AVC msg=audit(1175458758.616:25055): avc: denied { lock } for pid=27704 comm="smtpd" name="aliases.db" dev=sda2 ino=6424286 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file type=AVC msg=audit(1175458781.810:25061): avc: denied { getattr } for pid=27704 comm="smtpd" name="aliases.db" dev=sda2 ino=6424286 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:object_r:mailman_data_t:s0 tclass=file Expected results: Perhaps a boolean (or some other method) should exist to allow Postfix AND Mailman to access these files. postfix_access_mailman_aliases Additional info: I am currently running in permissive mode becausse of this (and two other things).
Fixed in selinux-policy-2.4.6-52.fc6
Thanks, Dan. When you say that it is fixed in the future policy, was this something that you guys were already working on, or did this bug report prompt you to take a look at it? I only ask becasue I searched quite a bit for a resolution to this prior to posting this bug report and couldn't find a solution.
The bug report promted me to work on it. It is pretty difficult to anticipate all possible ways an app will run, so we rely on bugreports and mail lists to help fix selinux problems. THanks for submitting the bug report.
Is this something that is going to get pushed out the RHEL5 too? I ended up making a module using audit2allow postfixmailman.te: module postfixmailman 1.0; require { class dir { add_name remove_name search write }; class file { create getattr lock read rename write }; type mailman_data_t; type postfix_cleanup_t; type postfix_map_t; role system_r; }; allow postfix_cleanup_t mailman_data_t:dir search; allow postfix_map_t mailman_data_t:dir { add_name remove_name search write }; allow postfix_map_t mailman_data_t:file { create getattr lock read rename write };
Yes all most bug fixes for FC6 should show up in the u1 release. Preview is available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Not sure if it is the same problem, but I am unable to update /etc/aliases.db in RHEL5 logged in as root with neither "newaliases" or "postalias /etc/aliases". It gives the error: postalias: fatal: open /etc/aliases.db: Permission denied -rw-r----- 1 root smmsp 12K Oct 16 08:11 aliases.db
Did you try the u1 release?
We have all the latest updates installed from the default distro which is the only one our host provides access through their redhat licence.
Well I believe this is fixed in the u1 update which should be hitting the streates at any moment. If you would like to customize your policy to allow this as root you can execute grep alias /var/log/audit/audit.log | audit2allow -M myalias semodule -i myalias.pp
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers