Bug 428039 - postgrey policy is not working
postgrey policy is not working
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-08 16:08 EST by Nils Philippsen
Modified: 2008-11-17 17:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:02:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nils Philippsen 2008-01-08 16:08:38 EST
Description of problem:

Postgrey is denied access to its own whitelist files because they are labeled as
postfix_etc_t. Postgrey is denied something else which I can't really decipher
(see audit message below)

Version-Release number of selected component (if applicable):

postfix-2.4.5-2.fc8
postgrey-1.30-1.fc8
selinux-policy-targeted-3.0.8-72.fc8

How reproducible:

install postfix+postgrey, configure postfix to use postgrey-service

Steps to Reproduce:
1. install postfix, postgrey
2. configure postfix to actually use postgrey
  
Actual results:

postgrey is be unable to access its whitelist files:
/etc/postfix/postgrey_whitelist_clients
/etc/postfix/postgrey_whitelist_clients.local
/etc/postfix/postgrey_whitelist_recipients

avc: denied { search } for comm=postgrey dev=dm-0 name=postfix pid=6430
scontext=unconfined_u:system_r:postgrey_t:s0 tclass=dir
tcontext=system_u:object_r:postfix_etc_t:s0

Other audit message I can't decipher:

avc: denied { dac_override } for comm=postgrey egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=6431
scontext=unconfined_u:system_r:postgrey_t:s0 sgid=0
subj=unconfined_u:system_r:postgrey_t:s0 suid=0 tclass=capability
tcontext=unconfined_u:system_r:postgrey_t:s0 tty=(none) uid=0

Expected results:
no error/warning

Additional info:
Comment 1 Daniel Walsh 2008-01-08 16:16:43 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-75.fc8
Comment 2 Nils Philippsen 2008-01-18 04:58:21 EST
Looks like it's not quite fixed with selinux-policy-targeted-3.0.8-76.fc8 from
updates-testing:

Jan 18 10:52:40 wombat setroubleshoot: #012    SELinux is preventing postgrey (p
ostgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients (postfix_etc_t).#0
12     For complete SELinux messages. run sealert -l 2b0ee89e-5d32-4aac-9355-486
c7afdd53c
Jan 18 10:52:40 wombat setroubleshoot: #012    SELinux is preventing postgrey
(postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients.local
(postfix_etc_t).#012     For complete SELinux messages. run sealert -l
6cb980d0-12d0-4e8c-b27a-cd911f9a24d5
Jan 18 10:52:40 wombat setroubleshoot: #012    SELinux is preventing postgrey
(postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_recipients
(postfix_etc_t).#012     For complete SELinux messages. run sealert -l
0a57fd40-9b61-43d4-bb82-e1dae06add26
Jan 18 10:52:40 wombat setroubleshoot: #012    SELinux is preventing postgrey
(postgrey_t) "write" to <Unknown> (postfix_spool_t).#012     For complete
SELinux messages. run sealert -l 6a34e53e-75bb-4cee-83b2-253532818011

raw audit messages:

avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/etc/postfix/postgrey_whitelist_clients pid=31854
scontext=unconfined_u:system_r:postgrey_t:s0 sgid=0
subj=unconfined_u:system_r:postgrey_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts5 uid=0

avc: denied { ioctl } for comm=postgrey dev=dm-0
path=/etc/postfix/postgrey_whitelist_clients.local pid=31854
scontext=unconfined_u:system_r:postgrey_t:s0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0

avc: denied { ioctl } for comm=postgrey dev=dm-0
path=/etc/postfix/postgrey_whitelist_recipients pid=31854
scontext=unconfined_u:system_r:postgrey_t:s0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0

avc: denied { write } for comm=postgrey dev=dm-3 name=postgrey pid=31855
scontext=unconfined_u:system_r:postgrey_t:s0 tclass=dir
tcontext=system_u:object_r:postfix_spool_t:s0

Comment 3 Daniel Walsh 2008-01-18 15:11:15 EST
Is postgrey trying to write to /etc/postfix/postgrey_whitelist_recipients

and /var/spool/postfix?
Comment 4 Jarl 2008-01-23 14:12:10 EST
Quick workaround to get postgrey up and running in F8.

Summary:
Do not use unix socket for postgrey, use inet ports instead.

Procedure:
1. In the file /etc/init.d/postgrey: comment out the original OPTIONS line
continaing --unix=$SOCKET, and add --inet=127.0.0.1:60000:

   #OPTIONS="--unix=$SOCKET"
   OPTIONS="--inet=127.0.0.1:60000"

2. Open port 60000 in the firewall.  Please be careful if your machine is
exposed to the net.

3. In the file /etc/postfix/main.cf: add ''check_policy_service
inet:127.0.0.1:60000'' to ''smtpd_recipient_restrictions''

   smtpd_recipient_restrictions = permit_mynetworks,check_policy_service
inet:127.0.0.1:60000,[<other flags...>]

4. Restart postgrey and postfix.

Comments:
SELinux prevents the use of sockets for postgrey.  It would be preferable to use
sockets on a local machine.  For am inet solution, it would be preferable to use
a TLS connection.

    /Jarl

Comment 5 Daniel Walsh 2008-01-23 16:23:17 EST
Jarl, please open a separate bugzilla along with the AVC messages you are seeing.
Comment 6 Daniel Walsh 2008-11-17 17:02:48 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.