Bug 431598 - newaliases command causes SELINUX_ERR audit message
newaliases command causes SELINUX_ERR audit message
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-strict (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-05 14:38 EST by Eoin Ryan
Modified: 2008-02-05 15:22 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-05 15:22:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eoin Ryan 2008-02-05 14:38:58 EST
Description of problem:
When running the strict policy, executing "newaliases" fails and generates a
SELINUX_ERR message in /var/log/audit/audit.log

Version-Release number of selected component (if applicable):  Strict Policy
version 21 + postfix-2.3.3-2


How reproducible:
My system is a relatively clean install.  It's consistently reproducible.

Steps to Reproduce:
1. root user as sysadm_r execute newaliases
2.
3.
  
Actual results:

To standard error:  
newaliases: fatal: execv /usr/sbin/postalias: Permission denied

To /var/log/audit/audit.log
type=SELINUX_ERR msg=audit(1202239864.642:2547): security_compute_sid:  invalid
context root:system_r:sysadm_mail_t:s0-s0:c0.c1023 for
scontext=root:sysadm_r:sysadm_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:postfix_master_exec_t:s0 tclass=process

type=SYSCALL msg=audit(1202239864.642:2547): arch=40000003 syscall=11 success=no
exit=-13 a0=8996368 a1=8996388 a2=8996478 a3=8996368 items=0 ppid=11046
pid=11317 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="newaliases" exe="/usr/sbin/sendmail.postfix"
subj=root:sysadm_r:sysadm_mail_t:s0-s0:c0.c1023 key=(null)


Expected results:
newaliases command completes successfully

Additional info:
Comment 1 Daniel Walsh 2008-02-05 15:22:38 EST
You need to add a role rule to your policy to make this work.

role sysadm_r types postfix_master_exec_t;

You can add this via a policy module.

Or run_init newaliases might work.

strict policy is not supported via normal contract so it is not likely this fix
will be forth coming.

Note You need to log in before you can comment on or make changes to this bug.