Bug 245268 - SELinux is preventing (postfix_smtpd_t) "getattr" to /home (home_root_t)
SELinux is preventing (postfix_smtpd_t) "getattr" to /home (home_root_t)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 955536
  Show dependency treegraph
 
Reported: 2007-06-21 20:53 EDT by dave peck
Modified: 2013-04-23 05:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 955536 (view as bug list)
Environment:
Last Closed: 2007-11-07 11:40:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dave peck 2007-06-21 20:53:05 EDT
Description of problem:

SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "getattr" to
/home (home_root_t).

I am getting these errors with the following additional information from the
SEtroubleshoot'er on a regular basis:

    Source Context:  system_u:system_r:postfix_smtpd_t
    Target Context:  system_u:object_r:home_root_t
    Target Objects:  /home [ dir ]
    Affected RPM Packages:  postfix-2.3.3-2 [application]filesystem-2.4.0-1 [target]
    Policy RPM:  selinux-policy-2.4.6-30.el5
    Selinux Enabled:  True
    Policy Type:  targeted
    MLS Enabled:  True
    Enforcing Mode:  Enforcing
    Plugin Name:  plugins.catchall_file
    Host Name:  xuxa
    Platform:  Linux xuxa 2.6.18-8.1.6.el5 #1 SMP Fri Jun 1 18:52:11 EDT 2007
i686 i686
    Alert Count:  11
    Line Numbers:   
    Raw Audit Messages :
    avc: denied { getattr } for comm="smtpd" dev=sda6 egid=89 euid=89
exe="/usr/libexec/postfix/smtpd" exit=-13 fsgid=89 fsuid=89 gid=89 items=0
name="/" path="/home" pid=5842 scontext=system_u:system_r:postfix_smtpd_t:s0
sgid=89 subj=system_u:system_r:postfix_smtpd_t:s0 suid=89 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=89 

This system receives all event logging and system reports that are sent to the
local 'root' from several other systems (1-RHEL3, 5-RHEL4, 1-Ubuntu) via
/etc/aliases; which is then forwarded to my local mail spool, but I'm not
convinced this is the root cause. I am getting these warnings regularly, but not
oddly not consistently, and I do seem to be picking up all the expected system
mails from the systems.


Version-Release number of selected component (if applicable):

[peckd@xuxa ~]$ rpm -qa | grep selinux
libselinux-devel-1.33.4-2.el5
libselinux-1.33.4-2.el5
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6-30.el5
libselinux-python-1.33.4-2.el5
[peckd@xuxa ~]$ rpm -qa | grep postfix
postfix-2.3.3-2
[peckd@xuxa ~]$ 


How reproducible:

I really wish I knew... I know it's not random (this is a deterministic process
and all) but I can't seem to narrow it down--suggestions are welcome.

Steps to Reproduce:
1. Unknown
2.
3.
  
Actual results:

Error logged by SELinux blocking access...


Expected results:

SELinux not blocking access... or if this is some sort of informational notice
not flagging it as an error requiring investigation.



Additional info:
Comment 1 Daniel Walsh 2007-06-22 09:42:13 EDT
I am pretty sure this can be ignored.  Often applications will list the contents
of the / directory and get gettattr violations on different entries

in selinux-policy-2.6.4-22 I will dontaudit this to remove the avc.
Comment 3 RHEL Product and Program Management 2007-06-25 13:23:50 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Eduard Benes 2007-08-22 11:41:31 EDT
Could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 11 Daniel Walsh 2007-09-27 10:43:14 EDT
Fixed in selinux-policy-2.4.6-100
Comment 14 errata-xmlrpc 2007-11-07 11:40:03 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.