Description of problem: SELinux denies postgray write access and ioctl access. Version-Release number of selected component (if applicable): postfix.i386 2:2.4.5-2.fc8 installed postgrey.noarch 1.30-1.fc8 installed selinux-policy.noarch 3.0.8-76.fc8 installed selinux-policy-devel.noarch 3.0.8-76.fc8 installed selinux-policy-targeted.noarch 3.0.8-76.fc8 installed Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 i386 GNU/Linux How reproducible: Steps to Reproduce: 1. yum install postgrey 2. /etc/init.d/postgrey start Actual results: SELinux reports four problems: ===First problem=== Summary SELinux is preventing postgrey (postgrey_t) "write" to <Unknown> (postfix_spool_t). Detailed Description SELinux denied access requested by postgrey. It is not expected that this access is required by postgrey and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:postfix_spool_t:s0 Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-76.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name meatpuck.thinkgland.com Platform Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 Alert Count 1 First Seen Wed 23 Jan 2008 05:31:42 PM PST Last Seen Wed 23 Jan 2008 05:31:42 PM PST Local ID a781d967-fdb5-45e1-bb91-c78fb78cd226 Line Numbers Raw Audit Messages avc: denied { write } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=postgrey pid=17052 scontext=system_u:system_r:postgrey_t:s0 sgid=0 subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0 ===End of first problem=== ===Second problem=== Summary SELinux is preventing postgrey (postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients (postfix_etc_t). Detailed Description SELinux denied access requested by postgrey. It is not expected that this access is required by postgrey and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/postfix/postgrey_whitelist_clients, restorecon -v /etc/postfix/postgrey_whitelist_clients If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:postfix_etc_t:s0 Target Objects /etc/postfix/postgrey_whitelist_clients [ file ] Affected RPM Packages postgrey-1.30-1.fc8 [target] Policy RPM selinux-policy-3.0.8-76.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name meatpuck.thinkgland.com Platform Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 Alert Count 1 First Seen Wed 23 Jan 2008 05:31:42 PM PST Last Seen Wed 23 Jan 2008 05:31:42 PM PST Local ID 5e5da002-f1b5-4947-83d9-29463ebc8bf5 Line Numbers Raw Audit Messages avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/etc/postfix/postgrey_whitelist_clients pid=17051 scontext=system_u:system_r:postgrey_t:s0 sgid=0 subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0 ===End of second problem=== ===Third problem=== Summary SELinux is preventing postgrey (postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients.local (postfix_etc_t). Detailed Description SELinux denied access requested by postgrey. It is not expected that this access is required by postgrey and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/postfix/postgrey_whitelist_clients.local, restorecon -v /etc/postfix/postgrey_whitelist_clients.local If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:postfix_etc_t:s0 Target Objects /etc/postfix/postgrey_whitelist_clients.local [ file ] Affected RPM Packages postgrey-1.30-1.fc8 [target] Policy RPM selinux-policy-3.0.8-76.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name meatpuck.thinkgland.com Platform Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 Alert Count 1 First Seen Wed 23 Jan 2008 05:31:42 PM PST Last Seen Wed 23 Jan 2008 05:31:42 PM PST Local ID fd6fc846-f846-433d-9bcb-db2da5f0bf62 Line Numbers Raw Audit Messages avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/etc/postfix/postgrey_whitelist_clients.local pid=17051 scontext=system_u:system_r:postgrey_t:s0 sgid=0 subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0 ===End of third problem=== ===Fourth problem=== Summary SELinux is preventing postgrey (postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_recipients (postfix_etc_t). Detailed Description SELinux denied access requested by postgrey. It is not expected that this access is required by postgrey and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /etc/postfix/postgrey_whitelist_recipients, restorecon -v /etc/postfix/postgrey_whitelist_recipients If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:postfix_etc_t:s0 Target Objects /etc/postfix/postgrey_whitelist_recipients [ file ] Affected RPM Packages postgrey-1.30-1.fc8 [target] Policy RPM selinux-policy-3.0.8-76.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name meatpuck.thinkgland.com Platform Linux meatpuck.thinkgland.com 2.6.23.9-85.fc8 #1 SMP Fri Dec 7 15:49:59 EST 2007 i686 i686 Alert Count 1 First Seen Wed 23 Jan 2008 05:31:42 PM PST Last Seen Wed 23 Jan 2008 05:31:42 PM PST Local ID b7b19efb-512f-472b-b9c3-e5a711bc0689 Line Numbers Raw Audit Messages avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/etc/postfix/postgrey_whitelist_recipients pid=17051 scontext=system_u:system_r:postgrey_t:s0 sgid=0 subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts1 uid=0 ===End of fourth problem=== Expected results: Postgrey should run out of the box. Additional info: This behavior was also reported in bug 428039 (see https://bugzilla.redhat.com/show_bug.cgi?id=428039)
Reassigning to selinux-policy-targeted
Fixed in selinux-policy-3.0.8-81.fc8
Problem appears present in selinux-policy-3.0.8-81.fc8 See clip: Summary SELinux is preventing postgrey (postgrey_t) "create" to <Unknown> (postfix_spool_t). Detailed Description SELinux denied access requested by postgrey. It is not expected that this access is required by postgrey and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:postfix_spool_t:s0 Target Objects None [ sock_file ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-81.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name meatpuck.thinkgland.com Platform Linux meatpuck.thinkgland.com 2.6.23.14-107.fc8 #1 SMP Mon Jan 14 21:37:30 EST 2008 i686 i686 Alert Count 1 First Seen Tue 29 Jan 2008 07:01:22 PM PST Last Seen Tue 29 Jan 2008 07:01:22 PM PST Local ID dafbae85-1266-4bb6-86e6-80a7c3c0e331 Line Numbers Raw Audit Messages avc: denied { create } for comm=postgrey egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=socket pid=3579 scontext=system_u:system_r:postgrey_t:s0 sgid=0 subj=system_u:system_r:postgrey_t:s0 suid=0 tclass=sock_file tcontext=system_u:object_r:postfix_spool_t:s0 tty=(none) uid=0
This is a different AVC then the first one. This looks like postgrey is creating a fifo_file in /var/spool/postfix/postgrey. Do you know if postfix will use this fifo_file?
(In reply to comment #4) 1. I have not looked at the sources (yet...) but from reading the man page and /etc/init.d/postgrey I assume that postgrey will use the fifo_file instead of an inet port. 2. I assume this is an effort to have as few inet ports open as possible. (Great idea for small networks.) 3. I can set up postfix to use smtpd_recipient_restrictions=...,check_policy_service inet:127.0.0.1:60000 while at the same time running postgrey as a service on port 60000. This all works fine. 4. I configured postfix to use smtpd_recipient_restrictions=...,check_policy_service unix:/var/spool/postfix/postgrey/socket (the same path as postgrey expects) Postfix reports that it can't connect to the socket. Postgrey reports ===Snipp from /var/log/maillog=== Jan 30 12:17:28 meatpuck postgrey[8859]: Process Backgrounded Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 postgrey (type Net::Server::Multiplex) starting! pid(8859) Jan 30 12:17:28 meatpuck postgrey[8859]: Binding to UNIX socket file /var/spool/postfix/postgrey/socket using SOCK_STREAM#012 Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 Can't connect to UNIX socket at file /var/spool/postfix/postgrey/socket [Permission denied]#012 at line 132 in file /usr/lib/perl5/vendor_perl/5.8.8/Net/Server/Proto/UNIX.pm Jan 30 12:17:28 meatpuck postgrey[8859]: 2008/01/30-12:17:28 Server closing! ===End snipp from /var/log/maillog=== ===Snipp from /var/log/audit/audit.log=== type=AVC msg=audit(1201724248.832:204): avc: denied { create } for pid=8859 comm="postgrey" name="socket" scont\ ext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file ===End snipp from /var/log/audit/audit.log===
I have put some fixes in for this in selinux-policy-3.0.8-82.fc8
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.