Bug 444954 - SELinux denied access requested by pickup
SELinux denied access requested by pickup
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-02 06:15 EDT by cornel panceac
Modified: 2008-11-13 12:06 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-13 12:06:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
postfix errors 1 (12.85 KB, application/vnd.oasis.opendocument.text)
2008-05-23 13:04 EDT, cornel panceac
no flags Details
postfix errors 2 (12.63 KB, application/vnd.oasis.opendocument.text)
2008-05-23 13:05 EDT, cornel panceac
no flags Details

  None (edit)
Description cornel panceac 2008-05-02 06:15:11 EDT
Description of problem:

selinux is sowing a lot of errors postfix related.
see below. 
(sorry for the noise, but i have no idea wich is useful and wich is not)
Version-Release number of selected component (if applicable):
# rpm -q postfix
postfix-2.4.5-2.fc8
# rpm -q selinux-policy
selinux-policy-3.0.8-98.fc8


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

SummarySELinux is preventing pickup (postfix_pickup_t) "getattr" to
/etc/postfix/main.cf (httpd_sys_content_t). 
Detailed DescriptionSELinux denied access requested by pickup. It is not
expected that this access is required by pickup and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.
Allowing AccessSometimes labeling problems can cause SELinux denials. You could
try to restore the default system file context for /etc/postfix/main.cf,
restorecon -v '/etc/postfix/main.cf' If this does not work, there is currently
no automatic way to allow this access. Instead, you can generate a local policy
module to allow this access - see FAQ Or you can disable SELinux protection
altogether. Disabling SELinux protection is not recommended. Please file a bug
report against this package. 

Additional Information
Source Context:  system_u:system_r:postfix_pickup_tTarget
Context:  system_u:object_r:httpd_sys_content_tTarget
Objects:  /etc/postfix/main.cf [ file ]Source:  pickupSource
Path:  /usr/libexec/postfix/pickupPort:  <Unknown>Host:  guzu.shacknet.nuSource
RPM Packages:  postfix-2.4.5-2.fc8Target RPM
Packages:  postfix-2.4.5-2.fc8Policy RPM:  selinux-policy-3.0.8-98.fc8Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  EnforcingPlugin Name:  catchall_fileHost
Name:  guzu.shacknet.nuPlatform:  Linux guzu.shacknet.nu 2.6.24.5-85.fc8 #1 SMP
Sat Apr 19 12:39:34 EDT 2008 i686 athlonAlert Count:  42First Seen:  Vi 02 mai
2008 12:28:05 +0000Last Seen:  Vi 02 mai 2008 13:11:49 +0000Local
ID:  a4471e75-f401-4f11-97d7-df961e1885b6Line Numbers:  Raw Audit Messages
:host=guzu.shacknet.nu type=AVC msg=audit(1209723109.20:127): avc: denied {
getattr } for pid=13739 comm="pickup" path="/etc/postfix/main.cf" dev=sda1
ino=264626 scontext=system_u:system_r:postfix_pickup_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
host=guzu.shacknet.nu type=SYSCALL msg=audit(1209723109.20:127): arch=40000003
syscall=197 success=no exit=-13 a0=8 a1=bfe85e90 a2=60aff4 a3=3 items=0
ppid=3189 pid=13739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup"
subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
Comment 1 cornel panceac 2008-05-23 13:04:56 EDT
Created attachment 306523 [details]
postfix errors 1
Comment 2 cornel panceac 2008-05-23 13:05:18 EDT
Created attachment 306524 [details]
postfix errors 2
Comment 3 cornel panceac 2008-05-23 13:07:30 EDT
for the above errors, 

$ rpm -q selinux-policy
selinux-policy-3.3.1-51.fc9.noarch

and system was autorelabeled several times.

i'll report more after a newer selinux-policy will be available.

and, the fedora 9 system is the old f8 system yum upgraded.
Comment 4 cornel panceac 2008-05-24 08:35:44 EDT
$ rpm -q selinux-policy
selinux-policy-3.3.1-55.fc9.noarch

seems to fix the error. thnx a lot dwalsh!

(
maybe the fact that i've deleted by hand all files on /tmp (as you suggested)
helped some way ... anyway i have no more errors now.
)
Comment 5 Miroslav Lichvar 2008-11-13 12:06:04 EST
Ok, closing as selinux-policy errata.

Note You need to log in before you can comment on or make changes to this bug.