Description of problem: [matej@viklef ~]$ echo test | mail -s test $LOGNAME [matej@viklef ~]$ send-mail: fatal: chdir /var/spool/postfix: Permission denied [matej@viklef ~]$ Note that [matej@viklef ~]$ id -Z staff_u:staff_r:staff_t:SystemLow-SystemHigh [matej@viklef ~]$ When I send mail as root it goes through, but then when I try to read I get AVC denial after leaving mailx: [matej@viklef ~]$ mail Heirloom Mail version 12.4 7/29/08. Type ? for help. "/var/spool/mail/matej": 1 message > 1 root Mon Nov 24 23:20 19/595 "test" & 1 Message 1: From root Mon Nov 24 23:20:06 2008 Return-Path: <root> X-Original-To: root Delivered-To: root Date: Mon, 24 Nov 2008 23:20:06 +0100 To: root Subject: test User-Agent: Heirloom mailx 12.4 7/29/08 Content-Type: text/plain; charset=us-ascii From: root (root) Status: RO test & q Held 1 message in /var/spool/mail/matej [matej@viklef ~]$ and AVC denial happens: Souhrn: SELinux is preventing mail (staff_t) "write" to ./mail (mail_spool_t). Podrobný popis: SELinux denied access requested by mail. It is not expected that this access is required by mail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./mail, restorecon -v './mail' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:mail_spool_t Objekty cíle ./mail [ dir ] Zdroj mail Cesta zdroje /bin/mailx Port <Neznámé> Počítač viklef RPM balíčky zdroje mailx-12.4-1.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-20.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 4 Poprvé viděno Po 24. listopad 2008, 23:20:32 CET Naposledy viděno Po 24. listopad 2008, 23:21:58 CET Místní ID 5f32417e-9811-4922-ae09-f7f50e39dc62 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1227565318.23:200): avc: denied { write } for pid=5498 comm="mail" name="mail" dev=dm-0 ino=1274251 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir node=viklef type=SYSCALL msg=audit(1227565318.23:200): arch=40000003 syscall=33 success=no exit=-13 a0=bf8153d0 a1=7 a2=80a26a0 a3=bf8153d0 items=0 ppid=5436 pid=5498 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="mail" exe="/bin/mailx" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): see above + using postfix postfix-2.5.5-2.fc10.i386 How reproducible: 100% Steps to Reproduce: 1.send email to staff_u user (you have to do it as root, because staff_u is not able to send mail with mailx) 2. open mail command and read the message 3. quit mailx Actual results: AVC denial Expected results: nothing bad Additional info:
Now the executable is /bin/mailx (according to LSB), and all another aliases (including /bin/mail, /usr/bin/Mail etc) are symlinks to it. Before F10, the executable was /bin/mail . I've found that "selinux-policy" sources still use old "/bin/mail". Perhaps it should be changed to /bin/mailx instead? (I'm not a guru in SELinux for now...) If so, change the component to "selinux-policy" package.
Does mailx really need to write to /var/spool/mail? How does it do this if you are not in the mail group?
For comment #2 : > Does mailx really need to write to /var/spool/mail? Do not need to create files/subdirs normally, but either writes/truncates already created files (/var/spool/mail/foo in mailbox format) or works with files in subdirectory (/var/spool/mail/foo/{cur,new,tmp} in Maildir/ format). Regarding the "mail" group: historically (?), /bin/mail was: -rwxr-sr-x 1 root mail 77468 Mar 5 2007 /bin/mail ie. had group "mail" and setgid bit. Later, the setgid bit was dropped (at a time when all such bits was massively dropped). At the switch to new mailx implementation, I've dropped "mail" group as well, since without setgid it does not take any sence.
But this avc indicates the mail program running as staff_t is trying to write to the directory /var/spool/mail which indicates it is trying to create a file? I will give it the priv, but not sure what it is doing. Also need to write files in /var/spool/mqueue Fixed in selinux-policy-3.5.13-25.fc10
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Actually, yes it seems to work now. At least when trying echo test |mail -s test matej@localhost I see no AVC denial and message actually gets delivered. Thanks.
Hmm, when setting SELinux into Enforcing mode (and mailx-12.4-2.fc11.x86_64, postfix-2.5.6-3.fc11.x86_64, selinux-policy-targeted-3.6.12-4.fc11.noarch) I get no AVC denial (sealert -b is empty), but error and no mail sent: [matej@viklef ~]$ echo 'http://vimeo.com/4063439' |mail mcepl [matej@viklef ~]$ send-mail: fatal: chdir /var/spool/postfix: Permission denied When switching SELinux into Permissive mode I get a lot of SELinux AVC denials in postdrop (I use postfix as my mail server on localhost). This is what audit2allow thinks: [root@viklef ~]# ausearch -m AVC -ts today |grep post|audit2allow #============= staff_t ============== allow staff_t postfix_public_t:fifo_file { write open }; allow staff_t postfix_spool_maildrop_t:dir { write remove_name add_name }; allow staff_t postfix_spool_maildrop_t:file { rename write setattr read create open }; [root@viklef ~]# --------------------------------------------------------- Souhrn: SELinux is preventing postdrop (staff_t) "remove_name" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle 139216.12063 [ dir ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID a6eb9a6c-6a6a-4826-868c-61c1d5625a60 Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc: denied { remove_name } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.143:983): avc: denied { rename } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.143:983): arch=c000003e syscall=82 success=yes exit=0 a0=7fcb26c0c860 a1=7fcb26c07ca0 a2=44 a3=7fff2d87eef0 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ---------------------- Souhrn: SELinux is preventing postdrop (staff_t) "setattr" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle staff_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle 230C9997D [ file ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 1 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID ce7704b0-b35f-415f-bdb1-cf9823948120 Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.154:984): avc: denied { setattr } for pid=12063 comm="postdrop" name="230C9997D" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.154:984): arch=c000003e syscall=91 success=yes exit=0 a0=4 a1=1e4 a2=137 a3=7fff2d87ef70 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ------------------------- Souhrn: SELinux is preventing postdrop (staff_t) "write" postfix_public_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_public_t:s0 Objekty cíle pickup [ fifo_file ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID 0158c974-01f1-4466-8d99-e9f6d3987dad Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc: denied { write } for pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.591:985): avc: denied { open } for pid=12063 comm="postdrop" name="pickup" dev=dm-5 ino=38619 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=fifo_file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.591:985): arch=c000003e syscall=2 success=yes exit=4 a0=7fcb26c07bb0 a1=801 a2=0 a3=11 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) ------------------- Souhrn: SELinux is preventing postdrop (staff_t) "write" postfix_spool_maildrop_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by postdrop. It is not expected that this access is required by postdrop and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle system_u:object_r:postfix_spool_maildrop_t:s0 Objekty cíle maildrop [ dir ] Zdroj postdrop Cesta zdroje /usr/sbin/postdrop Port <Neznámé> Počítač viklef.ceplovi.cz RPM balíčky zdroje postfix-2.5.6-3.fc11 RPM balíčky cíle RPM politiky selinux-policy-3.6.12-4.fc11 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef.ceplovi.cz Platforma Linux viklef.ceplovi.cz 2.6.29.1-70.fc11.x86_64 #1 SMP Mon Apr 13 14:16:25 EDT 2009 x86_64 x86_64 Počet upozornění 4 Poprvé viděno Po 20. duben 2009, 12:45:16 CEST Naposledy viděno Po 20. duben 2009, 12:45:16 CEST Místní ID 07f1d8fd-4f55-4525-9dd2-2ee1cd13c8aa Čísla řádků Původní zprávy auditu node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { write } for pid=12063 comm="postdrop" name="maildrop" dev=dm-5 ino=701 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { add_name } for pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { create } for pid=12063 comm="postdrop" name="139216.12063" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=AVC msg=audit(1240224316.139:982): avc: denied { read write open } for pid=12063 comm="postdrop" name="139216.12063" dev=dm-5 ino=39293 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:postfix_spool_maildrop_t:s0 tclass=file node=viklef.ceplovi.cz type=SYSCALL msg=audit(1240224316.139:982): arch=c000003e syscall=2 success=no exit=104374232 a0=7fcb26c0c860 a1=c2 a2=1a4 a3=74 items=0 ppid=12062 pid=12063 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=90 sgid=90 fsgid=90 tty=pts0 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Added ability to run postdrop to confined users Fixed in selinux-policy-3.6.12-9.fc11.noarch