Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 326631 - targeted policy prevents postcat from working
targeted policy prevents postcat from working
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
  Show dependency treegraph
Reported: 2007-10-10 13:08 EDT by Andreas Thienemann
Modified: 2008-05-21 12:05 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 12:05:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace log (30.29 KB, text/plain)
2007-10-11 09:44 EDT, Andreas Thienemann
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 10:36:31 EDT

  None (edit)
Description Andreas Thienemann 2007-10-10 13:08:33 EDT
Calling postcat -q QUEUE_ID does not return the content of a mail from the queue
but exits.

Oct 10 18:04:22 relay01 kernel: audit(1192032262.956:31): avc:  denied  { write
} for  pid=30375 comm="postcat" name="tmp" dev=dm-0 ino=720898
tcontext=root:object_r:user_home_t:s0 tclass=file
Comment 1 Daniel Walsh 2007-10-11 09:37:51 EDT
I am not sure what directory this is trying to write to?  The directory name is
tmp, but it is labeled user_home_t?  Do you have a tmp directory in a
homedirectory or is your /tmp labeled user_home_t?
ls -lZd /tmp

/tmp should be labeled tmp_t.

restorecon /tmp
Comment 2 Andreas Thienemann 2007-10-11 09:44:19 EDT
Created attachment 224291 [details]
strace log

Please see the attached strace log.

/tmp is correctly labled as system_u:object_r:tmp_t
Comment 3 Andreas Thienemann 2007-10-11 09:57:12 EDT
Mhm. I have the feeling the audit messages posted above are misleading and
related to something else

I just tried it again:
postcat with enforcing enabled: no output, no audit log message however.
postcat with enforcing disabled: normal postcat output.

? ? ? ?
Comment 4 Daniel Walsh 2007-10-12 08:50:14 EDT
I am now thinking that this should not run as postfix at all.  If you just 

chcon -t bin_t PATHTOPOSTCAT

Does everything work?  Since this is just a user app and not going to be run by
confined apps I see no reason to add the postfix context to it.
Comment 5 Andreas Thienemann 2007-10-12 09:04:27 EDT
Changing the context to bin_t looks better.

The same problem exists with /usr/sbin/postmap when querying existing maps:
postmap -q cidr:/etc/postfix/access.mx.cidr will exhibit the same
problem as postcat when running with setenforce 1.
Comment 6 Daniel Walsh 2007-10-12 09:33:19 EDT
What avc's do you see with this command?
Comment 7 Andreas Thienemann 2007-10-12 13:16:22 EDT
none whatsoever:

[root@relay01 ~]# ls -alZ /usr/sbin/postmap 
-rwxr-xr-x  root root system_u:object_r:postfix_map_exec_t /usr/sbin/postmap
[root@relay01 ~]# getenforce
[root@relay01 ~]# postmap -q cidr:/etc/postfix/access.mx.cidr 
[root@relay01 ~]# setenforce 0
[root@relay01 ~]# postmap -q cidr:/etc/postfix/access.mx.cidr 
REJECT Invalid MX for receipient domain. ( localnet)
[root@relay01 ~]# dmesg | tail -n 2
audit(1192209107.803:48): enforcing=1 old_enforcing=0 auid=4294967295
audit(1192209169.022:49): enforcing=0 old_enforcing=1 auid=4294967295
[root@relay01 ~]# 
Comment 8 Daniel Walsh 2007-10-15 13:00:03 EDT
Fixed in selinux-policy-2.4.6-107
Comment 9 RHEL Product and Program Management 2007-10-30 12:54:26 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 10 Jay Turner 2007-11-30 02:33:32 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 11 Andreas Thienemann 2008-01-30 08:03:43 EST
[root@relay01 ~]# postcat -q E463148BD0|head -1
*** ENVELOPE RECORDS hold/E463148BD0 ***
[root@relay01 ~]# 

Problems seems to be fixed in selinux-policy-2.4.6-107.
Comment 15 errata-xmlrpc 2008-05-21 12:05:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.