Description of problem: SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t) "getattr" to /home (home_root_t). I am getting these errors with the following additional information from the SEtroubleshoot'er on a regular basis: Source Context: system_u:system_r:postfix_smtpd_t Target Context: system_u:object_r:home_root_t Target Objects: /home [ dir ] Affected RPM Packages: postfix-2.3.3-2 [application]filesystem-2.4.0-1 [target] Policy RPM: selinux-policy-2.4.6-30.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: xuxa Platform: Linux xuxa 2.6.18-8.1.6.el5 #1 SMP Fri Jun 1 18:52:11 EDT 2007 i686 i686 Alert Count: 11 Line Numbers: Raw Audit Messages : avc: denied { getattr } for comm="smtpd" dev=sda6 egid=89 euid=89 exe="/usr/libexec/postfix/smtpd" exit=-13 fsgid=89 fsuid=89 gid=89 items=0 name="/" path="/home" pid=5842 scontext=system_u:system_r:postfix_smtpd_t:s0 sgid=89 subj=system_u:system_r:postfix_smtpd_t:s0 suid=89 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=89 This system receives all event logging and system reports that are sent to the local 'root' from several other systems (1-RHEL3, 5-RHEL4, 1-Ubuntu) via /etc/aliases; which is then forwarded to my local mail spool, but I'm not convinced this is the root cause. I am getting these warnings regularly, but not oddly not consistently, and I do seem to be picking up all the expected system mails from the systems. Version-Release number of selected component (if applicable): [peckd@xuxa ~]$ rpm -qa | grep selinux libselinux-devel-1.33.4-2.el5 libselinux-1.33.4-2.el5 selinux-policy-2.4.6-30.el5 selinux-policy-targeted-2.4.6-30.el5 libselinux-python-1.33.4-2.el5 [peckd@xuxa ~]$ rpm -qa | grep postfix postfix-2.3.3-2 [peckd@xuxa ~]$ How reproducible: I really wish I knew... I know it's not random (this is a deterministic process and all) but I can't seem to narrow it down--suggestions are welcome. Steps to Reproduce: 1. Unknown 2. 3. Actual results: Error logged by SELinux blocking access... Expected results: SELinux not blocking access... or if this is some sort of informational notice not flagging it as an error requiring investigation. Additional info:
I am pretty sure this can be ignored. Often applications will list the contents of the / directory and get gettattr violations on different entries in selinux-policy-2.6.4-22 I will dontaudit this to remove the avc.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Could you try the new policy available at the link below and reply whether the new packages solve your problem. http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Fixed in selinux-policy-2.4.6-100
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html