431598 – newaliases command causes SELINUX_ERR audit message

Bug 431598 - newaliases command causes SELINUX_ERR audit message

Summary: newaliases command causes SELINUX_ERR audit message

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy-strict
Sub Component:
Version:	5.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-02-05 19:38 UTC by Eoin Ryan
Modified:	2008-02-05 20:22 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-02-05 20:22:38 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eoin Ryan 2008-02-05 19:38:58 UTC

Description of problem:
When running the strict policy, executing "newaliases" fails and generates a
SELINUX_ERR message in /var/log/audit/audit.log

Version-Release number of selected component (if applicable):  Strict Policy
version 21 + postfix-2.3.3-2


How reproducible:
My system is a relatively clean install.  It's consistently reproducible.

Steps to Reproduce:
1. root user as sysadm_r execute newaliases
2.
3.
  
Actual results:

To standard error:  
newaliases: fatal: execv /usr/sbin/postalias: Permission denied

To /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1202239864.642:2547): security_compute_sid:  invalid
context root:system_r:sysadm_mail_t:s0-s0:c0.c1023 for
scontext=root:sysadm_r:sysadm_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=process

type=SYSCALL msg=audit(1202239864.642:2547): arch=40000003 syscall=11 success=no
exit=-13 a0=8996368 a1=8996388 a2=8996478 a3=8996368 items=0 ppid=11046
pid=11317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="newaliases" exe="/usr/sbin/sendmail.postfix"
subj=root:sysadm_r:sysadm_mail_t:s0-s0:c0.c1023 key=(null)


Expected results:
newaliases command completes successfully

Additional info:

Comment 1 Daniel Walsh 2008-02-05 20:22:38 UTC

You need to add a role rule to your policy to make this work.

role sysadm_r types postfix_master_exec_t;

You can add this via a policy module.

Or run_init newaliases might work.

strict policy is not supported via normal contract so it is not likely this fix
will be forth coming.

Note You need to log in before you can comment on or make changes to this bug.