Bug 243600 - SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "append" to aov (mail_spool_t).
SELinux is preventing /usr/libexec/postfix/local (postfix_local_t) "append" t...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-10 09:39 EDT by Need Real Name
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:11:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-06-10 09:39:30 EDT
Description of problem:
I (user aov) can't receive logwatch mail because
SELinux denied access requested by /usr/libexec/postfix/local:
"cannot update mailbox /var/mail/aov/ for user aov.
 cannot open file: Permission denied".

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-13.fc7

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context:  system_u:system_r:postfix_local_t
Target Context:  system_u:object_r:mail_spool_t
Target Objects:  aov [ file ]
Affected RPM Packages:  postfix-2.3.6-1 [application]
Policy RPM:  selinux-policy-2.6.4-13.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.21-1.3194.fc7
 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64
Alert Count:  4
First Seen:  Sat 09 Jun 2007 01:26:03 PM CEST
Last Seen:  Sun 10 Jun 2007 09:28:46 AM CEST
Local ID:  4c811d69-f66b-40b6-9172-520526ac2f0d
Line Numbers:  
Raw Audit Messages :
avc: denied { append } for comm="local" dev=sda2 egid=12 euid=500
exe="/usr/libexec/postfix/local" exit=-13 fsgid=12 fsuid=500 gid=0 items=0
name="aov" pid=3790 scontext=system_u:system_r:postfix_local_t:s0 sgid=0
subj=system_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0
Comment 1 Gerald Leung 2007-06-10 12:48:35 EDT
I can reproduce this bug. I also have selinux-policy-2.6.4-13 installed.

This happens for me for root or non-root users. With this bug, users cannot
receive mail in their mailbox (ie /var/spool/mail/root).

To reproduce this bug, send an email to any user on your local system in any
way. It is faster to send an email from the local system to the local user. As
soon as the user is supposed to receive the email, this SELinux error will be
logged to /var/log/audit/audit.log.

When I change the SELinux mode from Enforcing to Permissive, this bug does not
occur and the users can receive their mail in their mailbox.
Comment 2 Daniel Walsh 2007-06-11 11:00:29 EDT
Fixed in selinux-policy-2.6.4-14
Comment 3 Daniel Walsh 2007-08-22 10:11:10 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.