Bug 244456 - SELinux is preventing /usr/libexec/postfix/smtp(d)? (postfix_smtp(d)?_t) "read" to eventpoll:[9215] (postfix_master_t).
Summary: SELinux is preventing /usr/libexec/postfix/smtp(d)? (postfix_smtp(d)?_t) "rea...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-15 19:22 UTC by Ashish Shukla
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-08-22 14:09:02 UTC


Attachments (Terms of Use)

Description Ashish Shukla 2007-06-15 19:22:35 UTC
Description of problem:
Got following AVC denial messages while fetching and sending mail using
fetchmail and postfix.

-- begin messages --
avc: denied { read } for comm="smtpd" dev=eventpollfs egid=0 euid=0
exe="/usr/libexec/postfix/smtpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="[9215]" path="eventpoll:[9215]" pid=3484
scontext=system_u:system_r:postfix_smtpd_t:s0 sgid=0
subj=system_u:system_r:postfix_smtpd_t:s0 suid=0 tclass=file
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0
avc: denied { read } for comm="smtp" dev=eventpollfs egid=0 euid=0
exe="/usr/libexec/postfix/smtp" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="[9215]" path="eventpoll:[9215]" pid=3619
scontext=system_u:system_r:postfix_smtp_t:s0 sgid=0
subj=system_u:system_r:postfix_smtp_t:s0 suid=0 tclass=file
tcontext=system_u:system_r:postfix_master_t:s0 tty=(none) uid=0 
-- end messages --

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-13.fc7
fetchmail-6.3.7-1.fc7
postfix-2.4.3-2.fc7
mailx-8.1.1-46.fc7

How reproducible:
It is reproducible everytime.

Steps to Reproduce:
Start 'fetchmail' or Send mail using 'mail' command using 'postfix' as MTA.
  
Actual results:
Got AVC denials.

Expected results:
No AVC denials.

Additional info:
Following is the alert information copy-pasted from setroubleshoot browser.

Source Context                system_u:system_r:postfix_smtp_t
Target Context                system_u:system_r:postfix_master_t
Target Objects                eventpoll:[9215] [ file ]
Affected RPM Packages         postfix-2.4.3-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     chatteau.d.lf
Platform                      Linux chatteau.d.lf 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:41:39 AM IST
Last Seen                     Sat 16 Jun 2007 12:44:30 AM IST
Local ID                      9bda56e6-35af-4e5c-9dd3-3ebc824bb50f
Line Numbers                  

Source Context                system_u:system_r:postfix_smtpd_t
Target Context                system_u:system_r:postfix_master_t
Target Objects                eventpoll:[9215] [ file ]
Affected RPM Packages         postfix-2.4.3-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     chatteau.d.lf
Platform                      Linux chatteau.d.lf 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 14:56:37 EDT 2007 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 16 Jun 2007 12:35:49 AM IST
Last Seen                     Sat 16 Jun 2007 12:44:58 AM IST
Local ID                      d8519360-3c04-47d4-88a3-843045d4182e
Line Numbers

Comment 1 Daniel Rowe 2007-06-17 01:32:50 UTC
Hi

I am also getting the same as this on my setup.

Regards
Daniel

Comment 2 Laurent Jacquot 2007-06-17 08:54:01 UTC
Hi
Here is the audit2allow output:
 [root@jack ~]#  audit2allow -m temppostfix  -a -l> temppostfix.te
[root@jack ~]# cat temppostfix.te 

module temppostfix 1.0;

require {
        type postfix_local_t;
        type postfix_showq_t;
        type postfix_smtpd_t;
        type postfix_master_t;
        type procmail_t;
        type postfix_smtp_t;
        class file read;
}

#============= postfix_showq_t ==============
allow postfix_showq_t postfix_master_t:file read;

#============= postfix_smtp_t ==============
allow postfix_smtp_t postfix_master_t:file read;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t postfix_master_t:file read;

#============= procmail_t ==============
allow procmail_t postfix_local_t:file read;


Comment 3 Laurent Jacquot 2007-06-17 09:03:06 UTC
Add myself on the Cc list

Comment 4 Laurent Jacquot 2007-06-17 20:53:38 UTC
selinux-policy-targeted-2.6.4-14.fc7 does not fix it

Comment 5 Markus Keppeler 2007-06-18 05:17:27 UTC
Same here, add myself to the Cc list.

Comment 6 Daniel Walsh 2007-06-18 14:20:35 UTC
Fixed in selinux-policy-targeted-2.6.4-17.fc7

Comment 7 Laurent Jacquot 2007-06-27 06:13:38 UTC
selinux-policy-targeted-2.6.4-21.fc7 works for me. Close the bug?

Comment 8 Daniel Walsh 2007-08-22 14:09:02 UTC
Closing as fixes are in the current release


Note You need to log in before you can comment on or make changes to this bug.