Bug 244456 - SELinux is preventing /usr/libexec/postfix/smtp(d)? (postfix_smtp(d)?_t) "read" to eventpoll:[9215] (postfix_master_t).
SELinux is preventing /usr/libexec/postfix/smtp(d)? (postfix_smtp(d)?_t) "rea...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-15 15:22 EDT by Ashish Shukla
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:09:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ashish Shukla 2007-06-15 15:22:35 EDT
Description of problem:
Got following AVC denial messages while fetching and sending mail using
fetchmail and postfix.

-- begin messages --
avc: denied { read } for comm="smtpd" dev=eventpollfs egid=0 euid=0
exe="/usr/libexec/postfix/smtpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="[9215]" path="eventpoll:[9215]" pid=3484
scontext=system_u:system_r:postfix_smtpd_t:s0 sgid=0
subj=system_u:system_r:postfix_smtpd_t:s0 suid=0 tclass=file
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0
avc: denied { read } for comm="smtp" dev=eventpollfs egid=0 euid=0
exe="/usr/libexec/postfix/smtp" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="[9215]" path="eventpoll:[9215]" pid=3619
scontext=system_u:system_r:postfix_smtp_t:s0 sgid=0
subj=system_u:system_r:postfix_smtp_t:s0 suid=0 tclass=file
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0 
-- end messages --

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-13.fc7
fetchmail-6.3.7-1.fc7
postfix-2.4.3-2.fc7
mailx-8.1.1-46.fc7

How reproducible:
It is reproducible everytime.

Steps to Reproduce:
Start 'fetchmail' or Send mail using 'mail' command using 'postfix' as MTA.
  
Actual results:
Got AVC denials.

Expected results:
No AVC denials.

Additional info:
Following is the alert information copy-pasted from setroubleshoot browser.

Source Context                system_u:system_r:postfix_smtp_t
Target Context                system_u:system_r:postfix_master_t
Target Objects                eventpoll:[9215] [ file ]
Affected RPM Packages         postfix-2.4.3-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     chatteau.d.lf
Platform                      Linux chatteau.d.lf 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:41:39 AM IST
Last Seen                     Sat 16 Jun 2007 12:44:30 AM IST
Local ID                      9bda56e6-35af-4e5c-9dd3-3ebc824bb50f
Line Numbers                  

Source Context                system_u:system_r:postfix_smtpd_t
Target Context                system_u:system_r:postfix_master_t
Target Objects                eventpoll:[9215] [ file ]
Affected RPM Packages         postfix-2.4.3-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     chatteau.d.lf
Platform                      Linux chatteau.d.lf 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:35:49 AM IST
Last Seen                     Sat 16 Jun 2007 12:44:58 AM IST
Local ID                      d8519360-3c04-47d4-88a3-843045d4182e
Line Numbers
Comment 1 Daniel Rowe 2007-06-16 21:32:50 EDT
Hi

I am also getting the same as this on my setup.

Regards
Daniel
Comment 2 Laurent Jacquot 2007-06-17 04:54:01 EDT
Hi
Here is the audit2allow output:
 [root@jack ~]#  audit2allow -m temppostfix  -a -l> temppostfix.te
[root@jack ~]# cat temppostfix.te 

module temppostfix 1.0;

require {
        type postfix_local_t;
        type postfix_showq_t;
        type postfix_smtpd_t;
        type postfix_master_t;
        type procmail_t;
        type postfix_smtp_t;
        class file read;
}

#============= postfix_showq_t ==============
allow postfix_showq_t postfix_master_t:file read;

#============= postfix_smtp_t ==============
allow postfix_smtp_t postfix_master_t:file read;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t postfix_master_t:file read;

#============= procmail_t ==============
allow procmail_t postfix_local_t:file read;
Comment 3 Laurent Jacquot 2007-06-17 05:03:06 EDT
Add myself on the Cc list
Comment 4 Laurent Jacquot 2007-06-17 16:53:38 EDT
selinux-policy-targeted-2.6.4-14.fc7 does not fix it
Comment 5 Markus Keppeler 2007-06-18 01:17:27 EDT
Same here, add myself to the Cc list.
Comment 6 Daniel Walsh 2007-06-18 10:20:35 EDT
Fixed in selinux-policy-targeted-2.6.4-17.fc7
Comment 7 Laurent Jacquot 2007-06-27 02:13:38 EDT
selinux-policy-targeted-2.6.4-21.fc7 works for me. Close the bug?
Comment 8 Daniel Walsh 2007-08-22 10:09:02 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.