Bug 424001 - SELinux prevent postifx temporary files
Summary: SELinux prevent postifx temporary files
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Fedora
Classification: Fedora
Component: php
Version: 7
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-13 19:59 UTC by Daniel Peterson
Modified: 2007-12-14 09:55 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-14 09:55:30 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Peterson 2007-12-13 19:59:16 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.10) Gecko/20071128 Fedora/2.0.0.10-2.fc7 Firefox/2.0.0.10

Description of problem:
Summary
    SELinux is preventing the /usr/sbin/sendmail.postfix from using potentially
    mislabeled files (/tmp/.apc.541B8K (deleted)).

Detailed Description
    SELinux has denied /usr/sbin/sendmail.postfix access to potentially
    mislabeled file(s) (/tmp/.apc.541B8K (deleted)).  This means that SELinux
    will not allow /usr/sbin/sendmail.postfix to use these files.  It is common
    for users to edit files in their home directory or tmp directories and then
    move (mv) them to system directories.  The problem is that the files end up
    with the wrong file context which confined applications are not allowed to
    access.

Allowing Access
    If you want /usr/sbin/sendmail.postfix to access this files, you need to
    relabel them using restorecon -v /tmp/.apc.541B8K (deleted).  You might want
    to relabel the entire directory using restorecon -R -v /tmp.

Additional Information        

Source Context                system_u:system_r:system_mail_t
Target Context                system_u:object_r:httpd_tmp_t
Target Objects                /tmp/.apc.541B8K (deleted) [ file ]
Affected RPM Packages         postfix-2.4.5-2.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-61.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     newage.cosywallet.com
Platform                      Linux newage.cosywallet.com 2.6.23.8-34.fc7 #1 SMP
                              Thu Nov 22 20:39:56 EST 2007 x86_64 x86_64
Alert Count                   6
First Seen                    Thu 13 Dec 2007 03:49:17 PM CET
Last Seen                     Thu 13 Dec 2007 04:11:43 PM CET
Local ID                      b54b3f00-c896-46c5-9c5d-60d61da75b70
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="sendmail" dev=dm-0 egid=48 euid=48
exe="/usr/sbin/sendmail.postfix" exit=0 fsgid=48 fsuid=48 gid=48 items=0
path=2F746D702F2E6170632E35343142384B202864656C6574656429 pid=4430
scontext=system_u:system_r:system_mail_t:s0 sgid=48
subj=system_u:system_r:system_mail_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:httpd_tmp_t:s0 tty=(none) uid=48



Version-Release number of selected component (if applicable):
postfix 2:2.4.5-2.fc7.x86_64 selinux-policy 2.6.4-61.fc7.noarch

How reproducible:
Always


Steps to Reproduce:
1.Create mail from php
2.
3.

Actual Results:


Expected Results:


Additional info:
Comment 1 Daniel Walsh 2007-12-13 20:15:39 UTC 
This is a leaked file descriptor from PHP.  Which your PHP/apache execs the
sendmail program it is not closing all of its file descriptors so the kernel
checks to see if system_mail has access, and then closes the file descriptor. 
You can safely ignore this, but upstream mod_php should be informed that they
have a leaked file descriptor
Comment 2 Daniel Peterson 2007-12-14 09:53:31 UTC 
I have reported the problem to the php team
Note You need to log in before you can comment on or make changes to this bug.