Bug 239951 - SELinux is preventing /usr/sbin/postdrop (postfix_postdrop_t) "getattr" to pipe:[11149] (fsdaemon_t).
Summary: SELinux is preventing /usr/sbin/postdrop (postfix_postdrop_t) "getattr" to pi...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-13 09:42 UTC by Kim Bisgaard
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-12 17:08:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Kim Bisgaard 2007-05-13 09:42:39 UTC
Version-Release number of selected component (if applicable):

Actual results:
Source Context:  system_u:system_r:postfix_postdrop_tTarget
Context:  system_u:system_r:fsdaemon_tTarget Objects:  pipe:[11149] [ fifo_file
]Affected RPM Packages:  postfix-2.3.6-1 [application]Policy
RPM:  selinux-policy-2.6.1-1.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  kim.alleroedderne.adsl.dkPlatform:  Linux kim.alleroedderne.adsl.dk
2.6.21-1.3116.fc7 #1 SMP Thu Apr 26 10:36:44 EDT 2007 i686 athlonAlert
Count:  1First Seen:  søn 13 maj 2007 09:57:49 CESTLast Seen:  søn 13 maj 2007
09:57:49 CESTLocal ID:  32a24f82-cc8a-4219-8dbe-288a80be2e33Line Numbers:  Raw
Audit Messages :avc: denied { getattr } for comm="postdrop" dev=pipefs egid=90
euid=0 exe="/usr/sbin/postdrop" exit=-13 fsgid=90 fsuid=0 gid=0 items=0
name="[11149]" path="pipe:[11149]" pid=2976
scontext=system_u:system_r:postfix_postdrop_t:s0 sgid=90
subj=system_u:system_r:postfix_postdrop_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:fsdaemon_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-05-14 17:36:50 UTC
This looks like smartmon is leaking an open file descriptor to postfix.  Should
be calling

fcntl(fd, F_SETFL, F_CLOEXEC) before sending mail.

Comment 2 Tomas Smetana 2007-05-25 13:53:11 UTC
This happens after the popen() call that opens a pipe to the postfix and writes
the mail into the pipe. I think this is an issue of selinux-policy.

Comment 3 Tomas Smetana 2007-05-25 14:02:28 UTC
Sorry, I was wrong: smartd doesn't write the mail into the pipe, but reads the
output of mail program to check the status. This however does not change the
fact that it seems not to be a smartd problem.

Comment 4 Daniel Walsh 2007-05-29 15:53:16 UTC
Fixed in selinux-policy-2.6.4-10.fc7

Comment 5 Daniel Walsh 2007-09-12 17:08:22 UTC
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.