Bug 424001 - SELinux prevent postifx temporary files
SELinux prevent postifx temporary files
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: php (Show other bugs)
7
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-12-13 14:59 EST by Daniel Peterson
Modified: 2007-12-14 04:55 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-14 04:55:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Peterson 2007-12-13 14:59:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.10) Gecko/20071128 Fedora/2.0.0.10-2.fc7 Firefox/2.0.0.10

Description of problem:
Summary
    SELinux is preventing the /usr/sbin/sendmail.postfix from using potentially
    mislabeled files (/tmp/.apc.541B8K (deleted)).

Detailed Description
    SELinux has denied /usr/sbin/sendmail.postfix access to potentially
    mislabeled file(s) (/tmp/.apc.541B8K (deleted)).  This means that SELinux
    will not allow /usr/sbin/sendmail.postfix to use these files.  It is common
    for users to edit files in their home directory or tmp directories and then
    move (mv) them to system directories.  The problem is that the files end up
    with the wrong file context which confined applications are not allowed to
    access.

Allowing Access
    If you want /usr/sbin/sendmail.postfix to access this files, you need to
    relabel them using restorecon -v /tmp/.apc.541B8K (deleted).  You might want
    to relabel the entire directory using restorecon -R -v /tmp.

Additional Information        

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:httpd_tmp_t
Target Objects                /tmp/.apc.541B8K (deleted) [ file ]
Affected RPM Packages         postfix-2.4.5-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-61.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     newage.cosywallet.com
Platform                      Linux newage.cosywallet.com 2.6.23.8-34.fc7 #1 SMP
                              Thu Nov 22 20:39:56 EST 2007 x86_64 x86_64
Alert Count                   6
First Seen                    Thu 13 Dec 2007 03:49:17 PM CET
Last Seen                     Thu 13 Dec 2007 04:11:43 PM CET
Local ID                      b54b3f00-c896-46c5-9c5d-60d61da75b70
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="sendmail" dev=dm-0 egid=48 euid=48
exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=48 fsuid=48 gid=48 items=0
path=2F746D702F2E6170632E35343142384B202864656C6574656429 pid=4430
scontext=system_u:system_r:system_mail_t:s0 sgid=48
subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:httpd_tmp_t:s0 tty=(none) uid=48



Version-Release number of selected component (if applicable):
postfix 2:2.4.5-2.fc7.x86_64 selinux-policy 2.6.4-61.fc7.noarch

How reproducible:
Always


Steps to Reproduce:
1.Create mail from php
2.
3.

Actual Results:


Expected Results:


Additional info:
Comment 1 Daniel Walsh 2007-12-13 15:15:39 EST
This is a leaked file descriptor from PHP.  Which your PHP/apache execs the
sendmail program it is not closing all of its file descriptors so the kernel
checks to see if system_mail has access, and then closes the file descriptor. 
You can safely ignore this, but upstream mod_php should be informed that they
have a leaked file descriptor
Comment 2 Daniel Peterson 2007-12-14 04:53:31 EST
I have reported the problem to the php team

Note You need to log in before you can comment on or make changes to this bug.