Description of problem: SELinux is preventing postfix to work with virtual transport. I look into policy sources and there is no strict rules what virtual process can do. avc: denied { setrlimit } for comm="virtual" egid=0 euid=0 exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=17621 scontext=system_u:system_r:postfix_master_t:s0 sgid=0 subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=process tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0 Also i suppose should be dedicated label for virtual mail, because after i build module to allow sertlimit i experienced denials on { search } of virtual mailbox. Then i tried to move/label mailboxes as home dir content also without success. avc: denied { search } for comm="virtual" cwd="/var/spool/postfix" dev=dm-3 egid=500 euid=500 exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=500 fsuid=500 gid=0 item=0 items=1 name="/var/spool/mail/vmail/domains/digit-all.pl/admin/tmp/1181442754.P28071.warlord.digit-all.pl" obj=system_u:object_r:etc_t:s0 pid=28071 scontext=root:system_r:postfix_master_t:s0 sgid=0 subj=root:system_r:postfix_master_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:mail_spool_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-74.fc6 How reproducible: Always with virtual transport enabled. Steps to Reproduce: 1. Enable virtual transport in postfix configuration 2. Try to send message to user i virtual map Actual results: Postfix cannot deliver message Expected results: Deliver mail to virtual user/mailbox Additional info:
Just want to verify that this is all the avc messages you are seeing. Did you put the machine into permissive mode and did it work. setenforce 0 Test setenforce 1
Created attachment 156887 [details] AVC denials log I did test as you recommend, results in attachment. Now I'm running postfix with postfix_disable_trans 1 to make things work.
If you execute chcon -t postfix_local_exec_t /usr/libexec/postfix/virtual Does it work properly?
Still didn't work, denials are different, log will be attached. Also i did test with setenforce 0 to have view what is missing - log attached.
Created attachment 156992 [details] Denials log after chcon -t postfix_local_exec_t
Created attachment 156993 [details] Denials log after chcon -t postfix_local_exec_t and setenforce 0
I see something similar. The virtual program won't work for me. # sealert -l foo Summary SELinux is preventing /usr/libexec/postfix/virtual (postfix_master_t) "search" to / (home_root_t). Detailed Description SELinux denied access requested by /usr/libexec/postfix/virtual. It is not expected that this access is required by /usr/libexec/postfix/virtual and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Additional Information Source Context system_u:system_r:postfix_master_t Target Context system_u:object_r:home_root_t Target Objects / [ dir ] Affected RPM Packages postfix-2.3.3-2 [application]filesystem-2.4.0-1.el5.centos [target] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Alert Count 4103 Line Numbers Raw Audit Messages avc: denied { search } for comm="virtual" dev=sdb1 egid=5000 euid=5000 exe="/usr/libexec/postfix/virtual" exit=-13 fsgid=5000 fsuid=5000 gid=0 items=0 name="/" pid=27341 scontext=system_u:system_r:postfix_master_t:s0 sgid=0 subj=system_u:system_r:postfix_master_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.6.4-17
This policy version will be applied to fc6 or is only for f7 ?
Once I have it right on FC7 I will back port to fc6
Closed as all fixes are in the current release