Bug 326631 - targeted policy prevents postcat from working
targeted policy prevents postcat from working
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-10 13:08 EDT by Andreas Thienemann
Modified: 2008-05-21 12:05 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace log (30.29 KB, text/plain)
2007-10-11 09:44 EDT, Andreas Thienemann
no flags Details

  None (edit)
Description Andreas Thienemann 2007-10-10 13:08:33 EDT
Calling postcat -q QUEUE_ID does not return the content of a mail from the queue
but exits.

Oct 10 18:04:22 relay01 kernel: audit(1192032262.956:31): avc:  denied  { write
} for  pid=30375 comm="postcat" name="tmp" dev=dm-0 ino=720898
scontext=root:system_r:postfix_master_t:s0-s0:c0.c1023
tcontext=root:object_r:user_home_t:s0 tclass=file
Comment 1 Daniel Walsh 2007-10-11 09:37:51 EDT
I am not sure what directory this is trying to write to?  The directory name is
tmp, but it is labeled user_home_t?  Do you have a tmp directory in a
homedirectory or is your /tmp labeled user_home_t?
ls -lZd /tmp

/tmp should be labeled tmp_t.

restorecon /tmp
Comment 2 Andreas Thienemann 2007-10-11 09:44:19 EDT
Created attachment 224291 [details]
strace log

Please see the attached strace log.

/tmp is correctly labled as system_u:object_r:tmp_t
Comment 3 Andreas Thienemann 2007-10-11 09:57:12 EDT
Mhm. I have the feeling the audit messages posted above are misleading and
related to something else

I just tried it again:
postcat with enforcing enabled: no output, no audit log message however.
postcat with enforcing disabled: normal postcat output.

? ? ? ?
Comment 4 Daniel Walsh 2007-10-12 08:50:14 EDT
I am now thinking that this should not run as postfix at all.  If you just 

chcon -t bin_t PATHTOPOSTCAT

Does everything work?  Since this is just a user app and not going to be run by
confined apps I see no reason to add the postfix context to it.
Comment 5 Andreas Thienemann 2007-10-12 09:04:27 EDT
Changing the context to bin_t looks better.

The same problem exists with /usr/sbin/postmap when querying existing maps:
postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr will exhibit the same
problem as postcat when running with setenforce 1.
Comment 6 Daniel Walsh 2007-10-12 09:33:19 EDT
What avc's do you see with this command?
Comment 7 Andreas Thienemann 2007-10-12 13:16:22 EDT
none whatsoever:

[root@relay01 ~]# ls -alZ /usr/sbin/postmap 
-rwxr-xr-x  root root system_u:object_r:postfix_map_exec_t /usr/sbin/postmap
[root@relay01 ~]# getenforce
Enforcing
[root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr 
[root@relay01 ~]# setenforce 0
[root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr 
REJECT Invalid MX for receipient domain. (127.0.0.0/8 localnet)
[root@relay01 ~]# dmesg | tail -n 2
audit(1192209107.803:48): enforcing=1 old_enforcing=0 auid=4294967295
audit(1192209169.022:49): enforcing=0 old_enforcing=1 auid=4294967295
[root@relay01 ~]# 
Comment 8 Daniel Walsh 2007-10-15 13:00:03 EDT
Fixed in selinux-policy-2.4.6-107
Comment 9 RHEL Product and Program Management 2007-10-30 12:54:26 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Jay Turner 2007-11-30 02:33:32 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 11 Andreas Thienemann 2008-01-30 08:03:43 EST
[root@relay01 ~]# postcat -q E463148BD0|head -1
*** ENVELOPE RECORDS hold/E463148BD0 ***
[root@relay01 ~]# 

Problems seems to be fixed in selinux-policy-2.4.6-107.
Comment 15 errata-xmlrpc 2008-05-21 12:05:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.