Bug 248699 - Problems with postfix and amavisd
Problems with postfix and amavisd
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-18 07:24 EDT by Paul Thompson
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:11:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Thompson 2007-07-18 07:24:24 EDT
Description of problem:
Installation of amavisd (& clamav) prompts several seLinux errors preventing
correct operation

Version-Release number of selected component (if applicable):
amavisd-new.noarch                       2.5.1-1.fc7            installed       
clamav.i386                              0.90.2-1.fc7           installed       
clamav-data.i386                         0.90.2-1.fc7           installed       
clamav-filesystem.i386                   0.90.2-1.fc7           installed       
clamav-lib.i386                          0.90.2-1.fc7           installed       
clamav-server.i386                       0.90.2-1.fc7           installed       
clamav-server-sysv.i386                  0.90.2-1.fc7           installed       
clamav-update.i386                       0.90.2-1.fc7           installed       
postfix.i386                             2:2.4.3-2.fc7          installed       
selinux-policy.noarch                    2.6.4-26.fc7           installed       
selinux-policy-targeted.noarch           2.6.4-26.fc7           installed  

How reproducible:
Send any email to mail server

Steps to Reproduce:
1. Send any email to mail server
2. 
3.
  
Actual results:
The following 3 seLinux error reports that prevent the system from receiving mail

Summary
    SELinux is preventing /usr/libexec/postfix/smtpd (postfix_smtpd_t)
    "sys_chroot" to <Unknown> (postfix_smtpd_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/postfix/smtpd. It is not
    expected that this access is required by /usr/libexec/postfix/smtpd and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                root:system_r:postfix_smtpd_t
Target Context                root:system_r:postfix_smtpd_t
Target Objects                None [ capability ]
Affected RPM Packages         postfix-2.4.3-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.catchall
Host Name                     sally.thompson
Platform                      Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count                   7
First Seen                    Tue 17 Jul 2007 06:21:26 PM BST
Last Seen                     Wed 18 Jul 2007 05:04:34 AM BST
Local ID                      a5023033-72b3-4ab3-a8ce-7df514fe4a3c
Line Numbers                  

Raw Audit Messages            

avc: denied { sys_chroot } for comm="smtpd" egid=89 euid=0
exe="/usr/libexec/postfix/smtpd" exit=0 fsgid=89 fsuid=0 gid=89 items=0
pid=15466 scontext=root:system_r:postfix_smtpd_t:s0 sgid=89
subj=root:system_r:postfix_smtpd_t:s0 suid=0 tclass=capability
tcontext=root:system_r:postfix_smtpd_t:s0 tty=(none) uid=0

Summary
    SELinux is preventing /usr/sbin/clamd (clamd_t) "search" to amavisd
    (amavis_var_run_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/clamd. It is not expected that
    this access is required by /usr/sbin/clamd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for amavisd, restorecon -v amavisd
    If this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                root:system_r:clamd_t
Target Context                system_u:object_r:amavis_var_run_t
Target Objects                amavisd [ dir ]
Affected RPM Packages         clamav-server-0.90.2-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     sally.thompson
Platform                      Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count                   1
First Seen                    Tue 17 Jul 2007 06:16:51 PM BST
Last Seen                     Tue 17 Jul 2007 06:16:51 PM BST
Local ID                      59117600-886c-4597-b00c-72babbd77ab7
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="clamd.amavisd" dev=dm-0 egid=492 euid=493
exe="/usr/sbin/clamd" exit=-13 fsgid=492 fsuid=493 gid=492 items=0
name="amavisd" pid=11586 scontext=root:system_r:clamd_t:s0 sgid=492
subj=root:system_r:clamd_t:s0 suid=493 tclass=dir
tcontext=system_u:object_r:amavis_var_run_t:s0 tty=(none) uid=493

Summary
    SELinux is preventing /usr/bin/clamscan (clamscan_t) "search" to amavisd
    (amavis_spool_t).

Detailed Description
    SELinux denied access requested by /usr/bin/clamscan. It is not expected
    that this access is required by /usr/bin/clamscan and this access may signal
    an intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for amavisd, restorecon -v amavisd
    If this does not work, there is currently no automatic way to allow this
    access. Instead,  you can generate a local policy module to allow this
    access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable SELinux protection altogether. Disabling SELinux protection is
    not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                root:system_r:clamscan_t
Target Context                system_u:object_r:amavis_spool_t
Target Objects                amavisd [ dir ]
Affected RPM Packages         clamav-0.90.2-1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-26.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     sally.thompson
Platform                      Linux sally.thompson 2.6.21-1.3228.fc7 #1 SMP Tue
                              Jun 12 15:37:31 EDT 2007 i686 athlon
Alert Count                   5
First Seen                    Tue 17 Jul 2007 05:45:28 PM BST
Last Seen                     Tue 17 Jul 2007 06:14:45 PM BST
Local ID                      ccb2bb92-400f-426f-8cf7-6bf1c5669dc5
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="clamscan" dev=dm-0 egid=492 euid=493
exe="/usr/bin/clamscan" exit=-13 fsgid=492 fsuid=493 gid=492 items=0
name="amavisd" pid=11606 scontext=root:system_r:clamscan_t:s0 sgid=492
subj=root:system_r:clamscan_t:s0 suid=493 tclass=dir
tcontext=system_u:object_r:amavis_spool_t:s0 tty=(none) uid=493

Expected results:
No seLinux error reports - mail receipt to be processed successfully

Additional info:
Generated the following local policy to permit access:

module local 1.0;

require {
	type pppd_t;
	type amavis_var_run_t;
	type postfix_showq_t;
	type amavis_spool_t;
	type pppd_var_run_t;
	type postfix_smtpd_t;
	type clamd_t;
	type clamscan_t;
	type postfix_master_t;
	class capability sys_chroot;
	class dir search;
	class file { read write };
}

#============= clamd_t ==============
allow clamd_t amavis_var_run_t:dir search;

#============= clamscan_t ==============
allow clamscan_t amavis_spool_t:dir search;
#============= postfix_showq_t ==============
allow postfix_showq_t postfix_master_t:file read;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t self:capability sys_chroot;
Comment 1 Daniel Walsh 2007-07-18 10:02:41 EDT
Fixed in selinux-policy-2.6.4-29.fc7
Comment 2 Daniel Walsh 2007-08-22 10:11:07 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.