Bug 239951 - SELinux is preventing /usr/sbin/postdrop (postfix_postdrop_t) "getattr" to pipe:[11149] (fsdaemon_t).
SELinux is preventing /usr/sbin/postdrop (postfix_postdrop_t) "getattr" to pi...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-13 05:42 EDT by Kim Bisgaard
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-12 13:08:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kim Bisgaard 2007-05-13 05:42:39 EDT
Version-Release number of selected component (if applicable):
selinux-policy-2.6.1-1.fc7
postfix-2.3.6-1

Actual results:
Source Context:  system_u:system_r:postfix_postdrop_tTarget
Context:  system_u:system_r:fsdaemon_tTarget Objects:  pipe:[11149] [ fifo_file
]Affected RPM Packages:  postfix-2.3.6-1 [application]Policy
RPM:  selinux-policy-2.6.1-1.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  kim.alleroedderne.adsl.dkPlatform:  Linux kim.alleroedderne.adsl.dk
2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:36:44 EDT 2007 i686 athlonAlert
Count:  1First Seen:  søn 13 maj 2007 09:57:49 CESTLast Seen:  søn 13 maj 2007
09:57:49 CESTLocal ID:  32a24f82-cc8a-4219-8dbe-288a80be2e33Line Numbers:  Raw
Audit Messages :avc: denied { getattr } for comm="postdrop" dev=pipefs egid=90
euid=0 exe="/usr/sbin/postdrop" exit=-13 fsgid=90 fsuid=0 gid=0 items=0
name="[11149]" path="pipe:[11149]" pid=2976
scontext=system_u:system_r:postfix_postdrop_t:s0 sgid=90
subj=system_u:system_r:postfix_postdrop_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:fsdaemon_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-05-14 13:36:50 EDT
This looks like smartmon is leaking an open file descriptor to postfix.  Should
be calling

fcntl(fd, F_SETFL, F_CLOEXEC) before sending mail.
Comment 2 Tomas Smetana 2007-05-25 09:53:11 EDT
This happens after the popen() call that opens a pipe to the postfix and writes
the mail into the pipe. I think this is an issue of selinux-policy.
Comment 3 Tomas Smetana 2007-05-25 10:02:28 EDT
Sorry, I was wrong: smartd doesn't write the mail into the pipe, but reads the
output of mail program to check the status. This however does not change the
fact that it seems not to be a smartd problem.
Comment 4 Daniel Walsh 2007-05-29 11:53:16 EDT
Fixed in selinux-policy-2.6.4-10.fc7
Comment 5 Daniel Walsh 2007-09-12 13:08:22 EDT
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.