Bug 344651 - AVC: preventing local (postfix_local_t) "write" to (mail_spool_t)
AVC: preventing local (postfix_local_t) "write" to (mail_spool_t)
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-10-21 14:39 EDT by Jan Hutař
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-22 09:03:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sealert report (2.19 KB, text/plain)
2007-10-21 14:39 EDT, Jan Hutař
no flags Details
audit.log as requested (1.66 KB, application/octet-stream)
2007-10-22 10:08 EDT, Jan Hutař
no flags Details

  None (edit)
Description Jan Hutař 2007-10-21 14:39:59 EDT
Description of problem:
Maybe this just some misconfiguration on my side, but when I try to send email 
to root (e.g. logwatch does so), I'm getting AVC. I'm using postfix.

#============= postfix_local_t ==============
allow postfix_local_t mail_spool_t:file write;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. mail root

Actual results:
AVC - see attachment

Expected results:

# ls -Z /var/spool/mail/
-rw-------  root       root system_u:object_r:mail_spool_t:s0 root
----------  root       mail system_u:object_r:mail_spool_t:s0 root.lock
Comment 1 Jan Hutař 2007-10-21 14:39:59 EDT
Created attachment 233641 [details]
sealert report
Comment 2 Daniel Walsh 2007-10-22 09:03:08 EDT
sealert should have told you to turn on the allow_postfix_local_write_mail_spool

I will add an sealert plugin.

setsebool -P allow_postfix_local_write_mail_spool 1

Will fix your problem.
Comment 3 Daniel Walsh 2007-10-22 09:19:40 EDT
Could you please attach your /var/log/audit/audit.log?
Comment 4 Jan Hutař 2007-10-22 10:08:48 EDT
Created attachment 234101 [details]
audit.log as requested
Comment 5 Jan Hutař 2007-10-22 10:17:53 EDT
So, I think

setsebool -P allow_postfix_local_write_mail_spool 1

should be default for postfix, right?

Thank you.

PS. I'm using setroubleshoot-1.10.7-1.fc8
Comment 6 Daniel Walsh 2007-10-22 11:20:28 EDT
I will change to default to true.

Note You need to log in before you can comment on or make changes to this bug.