Bug 429976 - postgrey_t denied ioctl to whitelist and /var/spool/postfix/postgrey
Summary: postgrey_t denied ioctl to whitelist and /var/spool/postfix/postgrey
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: i686
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-24 02:43 UTC by Jarl
Modified: 2008-11-17 22:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:02:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jarl 2008-01-24 02:43:12 UTC 
Description of problem:
SELinux denies postgray write access and ioctl access.

Version-Release number of selected component (if applicable):
 postfix.i386                             2:2.4.5-2.fc8          installed       
 postgrey.noarch                          1.30-1.fc8             installed       
 selinux-policy.noarch                    3.0.8-76.fc8           installed       
 selinux-policy-devel.noarch              3.0.8-76.fc8           installed       
 selinux-policy-targeted.noarch           3.0.8-76.fc8           installed       
 Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST
2007 i686 i686 i386 GNU/Linux

How reproducible:


Steps to Reproduce:
1. yum install postgrey
2. /etc/init.d/postgrey start

  
Actual results:
SELinux reports four problems:

===First problem===
Summary
    SELinux is preventing postgrey (postgrey_t) "write" to <Unknown>
    (postfix_spool_t).

Detailed Description
    SELinux denied access requested by postgrey. It is not expected that this
    access is required by postgrey and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:postfix_spool_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     meatpuck.thinkgland.com
Platform                      Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1
                              SMP Fri Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Wed 23 Jan 2008 05:31:42 PM PST
Last Seen                     Wed 23 Jan 2008 05:31:42 PM PST
Local ID                      a781d967-fdb5-45e1-bb91-c78fb78cd226
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=postgrey pid=17052
scontext=system_u:system_r:postgrey_t:s0 sgid=0
subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0
===End of first problem===

===Second problem===
Summary
    SELinux is preventing postgrey (postgrey_t) "ioctl" to
    /etc/postfix/postgrey_whitelist_clients (postfix_etc_t).

Detailed Description
    SELinux denied access requested by postgrey. It is not expected that this
    access is required by postgrey and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    /etc/postfix/postgrey_whitelist_clients, restorecon -v
    /etc/postfix/postgrey_whitelist_clients If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:postfix_etc_t:s0
Target Objects                /etc/postfix/postgrey_whitelist_clients [ file ]
Affected RPM Packages         postgrey-1.30-1.fc8 [target]
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     meatpuck.thinkgland.com
Platform                      Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1
                              SMP Fri Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Wed 23 Jan 2008 05:31:42 PM PST
Last Seen                     Wed 23 Jan 2008 05:31:42 PM PST
Local ID                      5e5da002-f1b5-4947-83d9-29463ebc8bf5
Line Numbers                  

Raw Audit Messages            

avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/etc/postfix/postgrey_whitelist_clients pid=17051
scontext=system_u:system_r:postgrey_t:s0 sgid=0
subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0
===End of second problem===

===Third problem===
Summary
    SELinux is preventing postgrey (postgrey_t) "ioctl" to
    /etc/postfix/postgrey_whitelist_clients.local (postfix_etc_t).

Detailed Description
    SELinux denied access requested by postgrey. It is not expected that this
    access is required by postgrey and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    /etc/postfix/postgrey_whitelist_clients.local, restorecon -v
    /etc/postfix/postgrey_whitelist_clients.local If this does not work, there
    is currently no automatic way to allow this access. Instead,  you can
    generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:postfix_etc_t:s0
Target Objects                /etc/postfix/postgrey_whitelist_clients.local [
                              file ]
Affected RPM Packages         postgrey-1.30-1.fc8 [target]
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     meatpuck.thinkgland.com
Platform                      Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1
                              SMP Fri Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Wed 23 Jan 2008 05:31:42 PM PST
Last Seen                     Wed 23 Jan 2008 05:31:42 PM PST
Local ID                      fd6fc846-f846-433d-9bcb-db2da5f0bf62
Line Numbers                  

Raw Audit Messages            

avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/etc/postfix/postgrey_whitelist_clients.local pid=17051
scontext=system_u:system_r:postgrey_t:s0 sgid=0
subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0
===End of third problem===

===Fourth problem===
Summary
    SELinux is preventing postgrey (postgrey_t) "ioctl" to
    /etc/postfix/postgrey_whitelist_recipients (postfix_etc_t).

Detailed Description
    SELinux denied access requested by postgrey. It is not expected that this
    access is required by postgrey and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    /etc/postfix/postgrey_whitelist_recipients, restorecon -v
    /etc/postfix/postgrey_whitelist_recipients If this does not work, there is
    currently no automatic way to allow this access. Instead,  you can generate
    a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:postfix_etc_t:s0
Target Objects                /etc/postfix/postgrey_whitelist_recipients [ file
                              ]
Affected RPM Packages         postgrey-1.30-1.fc8 [target]
Policy RPM                    selinux-policy-3.0.8-76.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     meatpuck.thinkgland.com
Platform                      Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1
                              SMP Fri Dec 7 15:49:59 EST 2007 i686 i686
Alert Count                   1
First Seen                    Wed 23 Jan 2008 05:31:42 PM PST
Last Seen                     Wed 23 Jan 2008 05:31:42 PM PST
Local ID                      b7b19efb-512f-472b-b9c3-e5a711bc0689
Line Numbers                  

Raw Audit Messages            

avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path=/etc/postfix/postgrey_whitelist_recipients pid=17051
scontext=system_u:system_r:postgrey_t:s0 sgid=0
subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0

===End of fourth problem===


Expected results:
Postgrey should run out of the box.

Additional info:
This behavior was also reported in bug 428039 (see
https://bugzilla.redhat.com/show_bug.cgi?id=428039)
Comment 1 Jon Stanley 2008-01-24 04:02:57 UTC 
Reassigning to selinux-policy-targeted
Comment 2 Daniel Walsh 2008-01-24 18:36:14 UTC 
Fixed in selinux-policy-3.0.8-81.fc8
Comment 3 Jarl 2008-01-30 03:07:01 UTC 
Problem appears present in selinux-policy-3.0.8-81.fc8
See clip:

Summary
    SELinux is preventing postgrey (postgrey_t) "create" to <Unknown>
    (postfix_spool_t).

Detailed Description
    SELinux denied access requested by postgrey. It is not expected that this
    access is required by postgrey and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:postfix_spool_t:s0
Target Objects                None [ sock_file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-81.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     meatpuck.thinkgland.com
Platform                      Linux meatpuck.thinkgland.com 2.6.23.14-107.fc8 #1
                              SMP Mon Jan 14 21:37:30 EST 2008 i686 i686
Alert Count                   1
First Seen                    Tue 29 Jan 2008 07:01:22 PM PST
Last Seen                     Tue 29 Jan 2008 07:01:22 PM PST
Local ID                      dafbae85-1266-4bb6-86e6-80a7c3c0e331
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm=postgrey egid=0 euid=0 exe=/usr/bin/perl
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=socket pid=3579
scontext=system_u:system_r:postgrey_t:s0 sgid=0
subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=sock_file
tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0
Comment 4 Daniel Walsh 2008-01-30 16:31:51 UTC 
This is a different AVC then the first one.  This looks like postgrey is
creating a fifo_file in /var/spool/postfix/postgrey.  Do you know if postfix
will use this fifo_file?
Comment 5 Jarl 2008-01-30 20:31:19 UTC 
(In reply to comment #4)
1. I have not looked at the sources (yet...) but from reading the man page and
/etc/init.d/postgrey I assume that postgrey will use the fifo_file instead of an
inet port.

2. I assume this is an effort to have as few inet ports open as possible. 
(Great idea for small networks.)

3. I can set up postfix to use
smtpd_recipient_restrictions=...,check_policy_service inet:127.0.0.1:60000
while at the same time running postgrey as a service on port 60000.  This all
works fine.

4. I configured postfix to use
smtpd_recipient_restrictions=...,check_policy_service
unix:/var/spool/postfix/postgrey/socket (the same path as postgrey expects)
Postfix reports that it can't connect to the socket.
Postgrey reports
===Snipp from /var/log/maillog===
Jan 30 12:17:28 meatpuck postgrey[8859]: Process Backgrounded
Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 postgrey (type
Net::Server::Multiplex) starting! pid(8859)
Jan 30 12:17:28 meatpuck postgrey[8859]: Binding to UNIX socket file
/var/spool/postfix/postgrey/socket using SOCK_STREAM#012
Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 Can't connect to
UNIX socket at file /var/spool/postfix/postgrey/socket [Permission denied]#012 
at line 132 in file /usr/lib/perl5/vendor_perl/5.8.8/Net/Server/Proto/UNIX.pm
Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 Server closing!
===End snipp from /var/log/maillog===
===Snipp from /var/log/audit/audit.log===
type=AVC msg=audit(1201724248.832:204): avc:  denied  { create } for  pid=8859
comm="postgrey" name="socket" scont\
ext=system_u:system_r:postgrey_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
===End snipp from /var/log/audit/audit.log===
Comment 6 Daniel Walsh 2008-01-31 16:41:10 UTC 
I have put some fixes in for this in selinux-policy-3.0.8-82.fc8
Comment 7 Daniel Walsh 2008-11-17 22:02:51 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Note You need to log in before you can comment on or make changes to this bug.