Bug 245605 - SELinux prevents postfix from accessing NFS files with use_nfs_home_dirs=1
SELinux prevents postfix from accessing NFS files with use_nfs_home_dirs=1
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-25 13:59 EDT by Andy Schofield
Modified: 2009-07-20 05:59 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andy Schofield 2007-06-25 13:59:34 EDT
Description of problem:
When postfix tries to deliver email to a users Maildir which is NFS mounted,
access is forbidden even though use_nfs_home_dirs=1. It can't search, read or write.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-76.el5
postfix-2.3.3-2 [application]filesystem-2.4.0-1.el5.centos [target]

How reproducible:
Always

Steps to Reproduce:
1. Configure postfix to use Maildirs
2. Mount home directories over NFS
3. Send an email to be delivered to a user
  
Actual results:
avc: denied { search } for comm="local" dev=0:12 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=-13 fsgid=610 fsuid=3000 gid=0 items=0
name="" pid=2876 scontext=system_u:system_r:postfix_local_t:s0 sgid=0
subj=system_u:system_r:postfix_local_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 
Email bounces

Expected results:
Email should be delivered.

Additional info:
I am using the latest policy (2.4.6-76) from Dan Walsh's site. I get the same
behaviour with the policy in the official rhel5 distribution.
Comment 1 Daniel Walsh 2007-08-22 09:46:03 EDT
Fixed in selinux-policy-2.4.6-84
Comment 2 Andy Schofield 2007-10-01 15:14:48 EDT
It does not seem to be fixed for me (in 2.4.6-98)

More details: here are the avc errors when permissive mode is enabled.

avc: denied { create } for comm="local" dev=0:12 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=14 fsgid=610 fsuid=3000 gid=0 items=0
name="1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252
scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:nfs_t:s0 tty=(none) uid=0 

avc: denied { unlink } for comm="local" dev=0:12 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=0 fsgid=610 fsuid=3000 gid=0 items=0
name="1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252
scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 

avc: denied { getattr } for comm="local" dev=0:12 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=0 fsgid=610 fsuid=3000 gid=0 items=0
name="1191265607.P6252.thp146.ph.bham.ac.uk"
path="/home/sman/Maildir/tmp/1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252
scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 

avc: denied { write } for comm="local" dev=0:12 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=443 fsgid=610 fsuid=3000 gid=0 items=0
name="1191265607.P6252.thp146.ph.bham.ac.uk"
path="/home/sman/Maildir/tmp/1191265607.P6252.thp146.ph.bham.ac.uk" pid=6252
scontext=user_u:system_r:postfix_local_t:s0 sgid=0
subj=user_u:system_r:postfix_local_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0 
Comment 3 Daniel Walsh 2007-10-01 16:28:13 EDT
Do you have the use_nfs_home_dirs boolean turned on ?

setsebool -P use_nfs_home_dirs 1
Comment 4 Andy Schofield 2007-10-01 17:45:54 EDT
I certainly do! 

# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on
Comment 5 Daniel Walsh 2007-10-01 18:22:14 EDT
What does 

sesearch -A -s postfix_local_t | grep nfs

Show?
Comment 6 Andy Schofield 2007-10-02 02:24:29 EDT
It returned nothing (tried on two machines):

[root@thp146 ~]# rpm -q selinux-policy
selinux-policy-2.4.6-98.el5
[root@thp146 ~]# sesearch -A -s postfix_local_t | grep nfs
[root@thp146 ~]# 

Do I need to relabel the filesystem or reboot on updating the policy? I have not
done either

Comment 7 Daniel Walsh 2007-10-02 09:36:36 EDT
Could you install selinux-policy-2.4.6-101.el5 and see if this works for you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/

Comment 8 Andy Schofield 2007-10-02 10:41:08 EDT
Still no change. 
sesearch -A -s postfix_local_t | grep nfs
gives nothing, and email is not delivered locally when enforcing is on.
Comment 9 RHEL Product and Program Management 2007-10-15 23:56:35 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Andy Schofield 2007-10-16 08:40:49 EDT
Please note - this bug is still not fixed in selinux-policy-2.4.6-106 so don't
include it in a maintenance release yet.
Comment 11 Daniel Walsh 2007-10-17 15:07:39 EDT
Fixed in selinux-policy-2.4.6-107.el5
Comment 12 Jay Turner 2007-11-30 02:30:20 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 14 Eduard Benes 2008-01-09 13:42:19 EST
Andy, could you please try the new policy available at the link below and 
reply whether the new packages solve your problem? Thank you.

The fix should be present in selinux-policy-2.4.6-107 available here:

  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 15 Andy Schofield 2008-01-10 07:19:24 EST
It still does not seem to be fixed in selinux-policy-2.4.6-107

sesearch -A -s postfix_local_t | grep nfs
gives nothing, and email is not delivered locally when enforcing is on.

# getsebool use_nfs_home_dirs
use_nfs_home_dirs --> on

The audit log reveals the following when postfix tries to deliver an email to a
maildir mounted on an NFS file system.

type=AVC msg=audit(1199967073.916:3668): avc:  denied  { search } for  pid=27053
comm="local" name="" dev=0:22 ino=55410689
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1199967073.916:3668): arch=40000003 syscall=196
success=no exit=-13 a0=8eebe50 a1=bf9596b0 a2=5ecff4 a3=3 items=0 ppid=2158
pid=27053 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=600
sgid=0 fsgid=600 tty=(none) comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1199967073.917:3669): avc:  denied  { search } for  pid=27053
comm="local" name="" dev=0:22 ino=55410689
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1199967073.917:3669): arch=40000003 syscall=5 success=no
exit=-13 a0=8eeba60 a1=c1 a2=180 a3=0 items=0 ppid=2158 pid=27053
auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=600 sgid=0
fsgid=600 tty=(none) comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1199967074.024:3670): avc:  denied  { search } for  pid=27053
comm="local" name="" dev=0:22 ino=38551553
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1199967074.024:3670): arch=40000003 syscall=196
success=no exit=-13 a0=8eeae40 a1=bf958f90 a2=5ecff4 a3=3 items=0 ppid=2158
pid=27053 auid=4294967295 uid=0 gid=0 euid=3000 suid=0 fsuid=3000 egid=610
sgid=0 fsgid=610 tty=(none) comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1199967074.056:3671): avc:  denied  { search } for  pid=27053
comm="local" name="" dev=0:22 ino=38551553
scontext=system_u:system_r:postfix_local_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1199967074.056:3671): arch=40000003 syscall=5 success=no
exit=-13 a0=8edb8c8 a1=c1 a2=180 a3=0 items=0 ppid=2158 pid=27053
auid=4294967295 uid=0 gid=0 euid=3000 suid=0 fsuid=3000 egid=610 sgid=0
fsgid=610 tty=(none) comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_r:postfix_local_t:s0 key=(null)

Anything else I can do to help diagnose this?
Comment 16 Daniel Walsh 2008-01-11 14:55:13 EST
Fixed in selinux-policy-2.4.6-113.el5

Please try this one.

  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 17 Andy Schofield 2008-01-15 08:35:56 EST
No - it still does not seem to be working (obviously I have switched
use_nfs_home_dirs to on). The sealert is for read access but postfix will need
to write and search too:

Summary
    SELinux prevented /usr/libexec/postfix/local from reading files stored on a
    NFS filesytem.

Detailed Description
    SELinux prevented /usr/libexec/postfix/local from reading files stored on a
    NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly
    used on Unix / Linux systems. /usr/libexec/postfix/local attempted to read
    one or more files or directories from a mounted filesystem of this type.  As
    NFS filesystems do not support fine-grained SELinux labeling, all files and
    directories in the filesystem will have the same security context. If you
    have not configured /usr/libexec/postfix/local to read files from a NFS
    filesystem this access attempt could signal an intrusion attempt.

Allowing Access
    Changing the "use_nfs_home_dirs" boolean to true will allow this access:
    "setsebool -P use_nfs_home_dirs=1"

    The following command will allow this access:
    setsebool -P use_nfs_home_dirs=1

Additional Information        

Source Context                system_u:system_r:postfix_local_t
Target Context                system_u:object_r:nfs_t
Target Objects                 [ dir ]
Affected RPM Packages         postfix-2.3.3-2
                              [application]filesystem-2.4.0-1.el5.centos
                              [target]
Policy RPM                    selinux-policy-2.4.6-113.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.use_nfs_home_dirs
Host Name                     thp147.XXXXX
Platform                      Linux thp147.XXXXX 2.6.18-53.1.4.el5 #1
                              SMP Fri Nov 30 00:45:16 EST 2007 i686 i686
Alert Count                   186
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="local" dev=0:22 egid=610 euid=3000
exe="/usr/libexec/postfix/local" exit=-13 fsgid=610 fsuid=3000 gid=0 items=0
name="" pid=2232 scontext=system_u:system_r:postfix_local_t:s0 sgid=0
subj=system_u:system_r:postfix_local_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:nfs_t:s0 tty=(none) uid=0
Comment 18 Daniel Walsh 2008-01-15 10:35:25 EST
Fixed in selinux-policy-2.4.6-114.el5

Ok try 114.

Comment 19 Andy Schofield 2008-01-15 11:10:36 EST
Now it looks like it is working! 
I have just done a quick test with 114 on one of the client machines and email
is now being delivered by postfix locally to an NFS mounted home directory when
selinux is enforcing. If I notice any further problems I will report back. Many
thanks.
Comment 22 errata-xmlrpc 2008-05-21 12:05:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.