I have configured postfix + amavis + clamav, but it doesn't work, because postfix can't chroot. type=AVC msg=audit(1274033642.497:2669): avc: denied { sys_chroot } for pid=10323 comm="smtpd" capability=18 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=capability maillog gets filled with May 16 20:16:04 services-ha-01 postfix/smtpd[10480]: fatal: chroot(/var/spool/postfix): Operation not permitted May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: process /usr/libexec/postfix/smtpd pid 10480 exit status 1 May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling postfix-2.3.3-2
This is allowed in RHEL6, Miroslav can you add this permission. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-2.4.6-281.el5.noarch
Trying to reproduce this bug. As the first step I have configured various services from default master.cf to be chrooted (using http://www.wains.be/pub/postfix-chroot) and (after restorecon -R /var/spool/postfix/lib) I am getting following AVCs: ---- time->Mon Nov 15 16:30:38 2010 type=SYSCALL msg=audit(1289835038.190:83): arch=40000003 syscall=61 success=no exit=-1 a0=831e3a0 a1=c62a00 a2=d2cff4 a3=59 items=0 ppid=15929 pid=15932 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1289835038.190:83): avc: denied { sys_chroot } for pid=15932 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability ---- time->Mon Nov 15 16:30:38 2010 type=SYSCALL msg=audit(1289835038.174:82): arch=40000003 syscall=61 success=no exit=-1 a0=933d3a0 a1=95ba00 a2=f75ff4 a3=59 items=0 ppid=15929 pid=15931 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null) type=AVC msg=audit(1289835038.174:82): avc: denied { sys_chroot } for pid=15931 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability I think this should be also allowed. On the other hand, I can't see AVC from #c0, even with old selinux-policy.
Got even more AVCs after sending an email (additional services have been executed). Maybe there should be a boolean for chrooted postfix. Still working on the avavis stuff. [root@rhel5 ~]# ausearch -m avc ---- time->Tue Nov 16 10:13:19 2010 type=SYSCALL msg=audit(1289898799.613:33): arch=40000003 syscall=61 success=yes exit=0 a0=9ab43a8 a1=484a00 a2=d2fff4 a3=59 items=0 ppid=3500 pid=3502 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null) type=AVC msg=audit(1289898799.613:33): avc: denied { sys_chroot } for pid=3502 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability ---- time->Tue Nov 16 10:13:19 2010 type=SYSCALL msg=audit(1289898799.632:34): arch=40000003 syscall=61 success=yes exit=0 a0=8de23a8 a1=620a00 a2=8bbff4 a3=59 items=0 ppid=3500 pid=3503 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1289898799.632:34): avc: denied { sys_chroot } for pid=3503 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability ---- time->Tue Nov 16 10:13:40 2010 type=SYSCALL msg=audit(1289898820.850:36): arch=40000003 syscall=61 success=yes exit=0 a0=84923e0 a1=e57a00 a2=4f1ff4 a3=59 items=0 ppid=3500 pid=3513 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=root:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1289898820.850:36): avc: denied { sys_chroot } for pid=3513 comm="trivial-rewrite" capability=18 scontext=root:system_r:postfix_master_t:s0 tcontext=root:system_r:postfix_master_t:s0 tclass=capability ---- time->Tue Nov 16 10:13:40 2010 type=SYSCALL msg=audit(1289898820.871:37): arch=40000003 syscall=61 success=yes exit=0 a0=8ce83a8 a1=0 a2=a4dff4 a3=a50c08 items=0 ppid=3500 pid=3514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="local" exe="/usr/libexec/postfix/local" subj=root:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1289898820.871:37): avc: denied { sys_chroot } for pid=3514 comm="local" capability=18 scontext=root:system_r:postfix_local_t:s0 tcontext=root:system_r:postfix_local_t:s0 tclass=capability ---- time->Tue Nov 16 10:13:40 2010 type=SYSCALL msg=audit(1289898820.826:35): arch=40000003 syscall=61 success=yes exit=0 a0=8f2d3a8 a1=330a00 a2=fa9ff4 a3=59 items=0 ppid=3500 pid=3512 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null) type=AVC msg=audit(1289898820.826:35): avc: denied { sys_chroot } for pid=3512 comm="cleanup" capability=18 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_cleanup_t:s0 tclass=capability ---- time->Tue Nov 16 10:13:40 2010 type=SYSCALL msg=audit(1289898820.911:38): arch=40000003 syscall=61 success=yes exit=0 a0=82263a8 a1=362140 a2=5f1ff4 a3=59 items=0 ppid=3500 pid=3515 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=root:system_r:postfix_bounce_t:s0 key=(null) type=AVC msg=audit(1289898820.911:38): avc: denied { sys_chroot } for pid=3515 comm="bounce" capability=18 scontext=root:system_r:postfix_bounce_t:s0 tcontext=root:system_r:postfix_bounce_t:s0 tclass=capability
I think chrooting should be enabled and boolean is not needed. Or is there any harm in allowing a service (postfix services) to chroot? It seems like a good security practice to cut down on the privs as much as possible.
I think we should just allow it in postfix_domain_template() allow postfix_$1_t self:capability sys_chroot;
Chroot should be probably enabled for all available postfix services. Looking into /usr/libexec/postfix/, following contexts are present: postfix_bounce_exec_t postfix_cleanup_exec_t postfix_exec_t postfix_local_exec_t postfix_master_exec_t postfix_pickup_exec_t postfix_pipe_exec_t postfix_qmgr_exec_t postfix_showq_exec_t postfix_smtpd_exec_t postfix_smtp_exec_t postfix_virtual_exec_t I am not sure about postfix_exec_t but all the rest should be postfix services from master.cf.
Karel, could you test it with the latest policy (-273), which I have built before a while.
Looks fine. No AVCs at all.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html