Calling postcat -q QUEUE_ID does not return the content of a mail from the queue but exits. Oct 10 18:04:22 relay01 kernel: audit(1192032262.956:31): avc: denied { write } for pid=30375 comm="postcat" name="tmp" dev=dm-0 ino=720898 scontext=root:system_r:postfix_master_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
I am not sure what directory this is trying to write to? The directory name is tmp, but it is labeled user_home_t? Do you have a tmp directory in a homedirectory or is your /tmp labeled user_home_t? ls -lZd /tmp /tmp should be labeled tmp_t. restorecon /tmp
Created attachment 224291 [details] strace log Please see the attached strace log. /tmp is correctly labled as system_u:object_r:tmp_t
Mhm. I have the feeling the audit messages posted above are misleading and related to something else I just tried it again: postcat with enforcing enabled: no output, no audit log message however. postcat with enforcing disabled: normal postcat output. ? ? ? ?
I am now thinking that this should not run as postfix at all. If you just chcon -t bin_t PATHTOPOSTCAT Does everything work? Since this is just a user app and not going to be run by confined apps I see no reason to add the postfix context to it.
Changing the context to bin_t looks better. The same problem exists with /usr/sbin/postmap when querying existing maps: postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr will exhibit the same problem as postcat when running with setenforce 1.
What avc's do you see with this command?
none whatsoever: [root@relay01 ~]# ls -alZ /usr/sbin/postmap -rwxr-xr-x root root system_u:object_r:postfix_map_exec_t /usr/sbin/postmap [root@relay01 ~]# getenforce Enforcing [root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr [root@relay01 ~]# setenforce 0 [root@relay01 ~]# postmap -q 127.0.0.1 cidr:/etc/postfix/access.mx.cidr REJECT Invalid MX for receipient domain. (127.0.0.0/8 localnet) [root@relay01 ~]# dmesg | tail -n 2 audit(1192209107.803:48): enforcing=1 old_enforcing=0 auid=4294967295 audit(1192209169.022:49): enforcing=0 old_enforcing=1 auid=4294967295 [root@relay01 ~]#
Fixed in selinux-policy-2.4.6-107
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
QE ack for RHEL5.2. Reproducer in comment 0.
[root@relay01 ~]# postcat -q E463148BD0|head -1 *** ENVELOPE RECORDS hold/E463148BD0 *** [root@relay01 ~]# Problems seems to be fixed in selinux-policy-2.4.6-107.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html