Bug 243989 - Postfix virtual transport not working with selinux
Postfix virtual transport not working with selinux
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-06-13 05:33 EDT by Rafał Dutko
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 10:02:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVC denials log (2.40 KB, text/plain)
2007-06-13 11:08 EDT, Rafał Dutko
no flags Details
Denials log after chcon -t postfix_local_exec_t (1.01 KB, text/plain)
2007-06-14 09:25 EDT, Rafał Dutko
no flags Details
Denials log after chcon -t postfix_local_exec_t and setenforce 0 (517 bytes, text/plain)
2007-06-14 09:25 EDT, Rafał Dutko
no flags Details

  None (edit)
Description Rafał Dutko 2007-06-13 05:33:07 EDT
Description of problem:
SELinux is preventing postfix to work with virtual transport. I look into 
policy sources and there is no strict rules what virtual process can do. 

avc: denied { setrlimit } for comm="virtual" egid=0 euid=0 
exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 
pid=17621 scontext=system_u:system_r:postfix_master_t:s0 sgid=0 
subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=process 
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0

Also i suppose should be dedicated label for virtual mail, because after i 
build module to allow sertlimit i experienced denials on { search } of virtual 
mailbox. Then i tried to move/label mailboxes as home dir content also without 

avc: denied { search } for comm="virtual" cwd="/var/spool/postfix" dev=dm-3 
egid=500 euid=500 exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=500 
fsuid=500 gid=0 item=0 items=1 
obj=system_u:object_r:etc_t:s0 pid=28071 
scontext=root:system_r:postfix_master_t:s0 sgid=0 
subj=root:system_r:postfix_master_t:s0 suid=0 tclass=dir 
tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):


How reproducible:
Always with virtual transport enabled.

Steps to Reproduce:
1. Enable virtual transport in postfix configuration
2. Try to send message to user i virtual map
Actual results:

Postfix cannot deliver message

Expected results:

Deliver mail to virtual user/mailbox

Additional info:
Comment 1 Daniel Walsh 2007-06-13 09:42:20 EDT
Just want to verify that this is all the avc messages you are seeing.  Did you
put the machine into permissive mode and did it work.

setenforce 0
setenforce 1

Comment 2 Rafał Dutko 2007-06-13 11:08:12 EDT
Created attachment 156887 [details]
AVC denials log

I did test as you recommend, results in attachment. Now I'm running postfix
with postfix_disable_trans 1 to make things work.
Comment 3 Daniel Walsh 2007-06-14 08:53:58 EDT
If you execute

chcon -t postfix_local_exec_t /usr/libexec/postfix/virtual

Does it work properly?
Comment 4 Rafał Dutko 2007-06-14 09:23:58 EDT
Still didn't work, denials are different, log will be attached. Also i did 
test with setenforce 0 to have view what is missing - log attached.
Comment 5 Rafał Dutko 2007-06-14 09:25:12 EDT
Created attachment 156992 [details]
Denials log after chcon -t postfix_local_exec_t
Comment 6 Rafał Dutko 2007-06-14 09:25:39 EDT
Created attachment 156993 [details]
Denials log after chcon -t postfix_local_exec_t and setenforce 0
Comment 7 John Villalovos 2007-06-18 23:20:28 EDT
I see something similar.  The virtual program won't work for me.

# sealert -l foo
    SELinux is preventing /usr/libexec/postfix/virtual (postfix_master_t)
    "search" to / (home_root_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/postfix/virtual. It is not
    expected that this access is required by /usr/libexec/postfix/virtual and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Additional Information

Source Context                system_u:system_r:postfix_master_t
Target Context                system_u:object_r:home_root_t
Target Objects                / [ dir ]
Affected RPM Packages         postfix-2.3.3-2
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Alert Count                   4103
Line Numbers

Raw Audit Messages

avc: denied { search } for comm="virtual" dev=sdb1 egid=5000 euid=5000
exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=5000 fsuid=5000 gid=0 items=0
name="/" pid=27341 scontext=system_u:system_r:postfix_master_t:s0 sgid=0
subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Comment 8 Daniel Walsh 2007-06-19 08:25:15 EDT
Fixed in selinux-policy-2.6.4-17
Comment 9 Rafał Dutko 2007-06-19 14:26:20 EDT
This policy version will be applied to fc6 or is only for f7 ?
Comment 10 Daniel Walsh 2007-06-19 15:05:19 EDT
Once I have it right on FC7 I will back port to fc6
Comment 11 Daniel Walsh 2007-08-22 10:02:58 EDT
Closed as all fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.