Bug 326631 - targeted policy prevents postcat from working
Summary: targeted policy prevents postcat from working
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: OtherQA
Depends On:
TreeView+ depends on / blocked
Reported: 2007-10-10 17:08 UTC by Andreas Thienemann
Modified: 2008-05-21 16:05 UTC (History)
2 users (show)

Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 16:05:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
strace log (30.29 KB, text/plain)
2007-10-11 13:44 UTC, Andreas Thienemann
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0465 normal SHIPPED_LIVE selinux-policy bug fix update 2008-05-20 14:36:31 UTC

Description Andreas Thienemann 2007-10-10 17:08:33 UTC
Calling postcat -q QUEUE_ID does not return the content of a mail from the queue
but exits.

Oct 10 18:04:22 relay01 kernel: audit(1192032262.956:31): avc:  denied  { write
} for  pid=30375 comm="postcat" name="tmp" dev=dm-0 ino=720898
tcontext=root:object_r:user_home_t:s0 tclass=file

Comment 1 Daniel Walsh 2007-10-11 13:37:51 UTC
I am not sure what directory this is trying to write to?  The directory name is
tmp, but it is labeled user_home_t?  Do you have a tmp directory in a
homedirectory or is your /tmp labeled user_home_t?
ls -lZd /tmp

/tmp should be labeled tmp_t.

restorecon /tmp

Comment 2 Andreas Thienemann 2007-10-11 13:44:19 UTC
Created attachment 224291 [details]
strace log

Please see the attached strace log.

/tmp is correctly labled as system_u:object_r:tmp_t

Comment 3 Andreas Thienemann 2007-10-11 13:57:12 UTC
Mhm. I have the feeling the audit messages posted above are misleading and
related to something else

I just tried it again:
postcat with enforcing enabled: no output, no audit log message however.
postcat with enforcing disabled: normal postcat output.

? ? ? ?

Comment 4 Daniel Walsh 2007-10-12 12:50:14 UTC
I am now thinking that this should not run as postfix at all.  If you just 

chcon -t bin_t PATHTOPOSTCAT

Does everything work?  Since this is just a user app and not going to be run by
confined apps I see no reason to add the postfix context to it.

Comment 5 Andreas Thienemann 2007-10-12 13:04:27 UTC
Changing the context to bin_t looks better.

The same problem exists with /usr/sbin/postmap when querying existing maps:
postmap -q cidr:/etc/postfix/access.mx.cidr will exhibit the same
problem as postcat when running with setenforce 1.

Comment 6 Daniel Walsh 2007-10-12 13:33:19 UTC
What avc's do you see with this command?

Comment 7 Andreas Thienemann 2007-10-12 17:16:22 UTC
none whatsoever:

[root@relay01 ~]# ls -alZ /usr/sbin/postmap 
-rwxr-xr-x  root root system_u:object_r:postfix_map_exec_t /usr/sbin/postmap
[root@relay01 ~]# getenforce
[root@relay01 ~]# postmap -q cidr:/etc/postfix/access.mx.cidr 
[root@relay01 ~]# setenforce 0
[root@relay01 ~]# postmap -q cidr:/etc/postfix/access.mx.cidr 
REJECT Invalid MX for receipient domain. ( localnet)
[root@relay01 ~]# dmesg | tail -n 2
audit(1192209107.803:48): enforcing=1 old_enforcing=0 auid=4294967295
audit(1192209169.022:49): enforcing=0 old_enforcing=1 auid=4294967295
[root@relay01 ~]# 

Comment 8 Daniel Walsh 2007-10-15 17:00:03 UTC
Fixed in selinux-policy-2.4.6-107

Comment 9 RHEL Product and Program Management 2007-10-30 16:54:26 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 10 Jay Turner 2007-11-30 07:33:32 UTC
QE ack for RHEL5.2.  Reproducer in comment 0.

Comment 11 Andreas Thienemann 2008-01-30 13:03:43 UTC
[root@relay01 ~]# postcat -q E463148BD0|head -1
*** ENVELOPE RECORDS hold/E463148BD0 ***
[root@relay01 ~]# 

Problems seems to be fixed in selinux-policy-2.4.6-107.

Comment 15 errata-xmlrpc 2008-05-21 16:05:47 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.