Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 603499 - nrpe check_mailq AVC's
nrpe check_mailq AVC's
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-13 10:44 EDT by Ruben Kerkhof
Modified: 2010-07-06 13:08 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-33.fc13
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-06 13:08:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ruben Kerkhof 2010-06-13 10:44:00 EDT
Description of problem:

Using the nagios check_mailqueue plugin, gives the following AVCs:

type=AVC msg=audit(1276440026.233:151): avc:  denied  { write } for  pid=3044 comm="postqueue" path="pipe:[83505]" dev=pipefs ino=83505 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1276440026.233:151): arch=c000003e syscall=59 success=yes exit=0 a0=7f658789c040 a1=7f658789c0a0 a2=7f658789be70 a3=7fff87d68320 items=2 ppid=3043 pid=3044 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=90 sgid=90 fsgid=90 tty=(none) ses=10 comm="postqueue" exe="/usr/sbin/postqueue" subj=unconfined_u:system_r:postfix_postqueue_t:s0 key=(null)
type=EXECVE msg=audit(1276440026.233:151): argc=2 a0="postqueue" a1="-p"
type=CWD msg=audit(1276440026.233:151):  cwd="/var/spool/postfix"
type=PATH msg=audit(1276440026.233:151): item=0 name="/usr/sbin/postqueue" inode=19474 dev=fc:01 mode=0102755 ouid=0 ogid=90 rdev=00:00 obj=system_u:object_r:postfix_postqueue_exec_t:s0
type=PATH msg=audit(1276440026.233:151): item=1 name=(null) inode=5427 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
type=AVC msg=audit(1276440026.268:152): avc:  denied  { getattr } for  pid=3044 comm="postqueue" path="pipe:[83505]" dev=pipefs ino=83505 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1276440026.268:152): arch=c000003e syscall=5 success=yes exit=128 a0=1 a1=7fff6f9488f0 a2=7fff6f9488f0 a3=7fff6f948680 items=0 ppid=3043 pid=3044 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=90 sgid=90 fsgid=90 tty=(none) ses=10 comm="postqueue" exe="/usr/sbin/postqueue" subj=unconfined_u:system_r:postfix_postqueue_t:s0 key=(null)
type=AVC msg=audit(1276440026.476:153): avc:  denied  { sigchld } for  pid=3043 comm="check_mailq" scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=process
type=SYSCALL msg=audit(1276440026.476:153): arch=c000003e syscall=61 success=yes exit=3044 a0=be4 a1=7fff30cdfd1c a2=0 a3=0 items=0 ppid=3042 pid=3043 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=493 sgid=493 fsgid=493 tty=(none) ses=10 comm="check_mailq" exe="/usr/bin/perl" subj=unconfined_u:system_r:nagios_mail_plugin_t:s0 key=(null)


Version-Release number of selected component (if applicable):

[root@mirror1a ~]# rpm -q nagios-plugins-mailq selinux-policy-targeted
nagios-plugins-mailq-1.4.14-3.fc12.1.x86_64
selinux-policy-targeted-3.6.32-116.fc12.noarch

[root@mirror1a ~]# uname -r
2.6.32.12-115.fc12.x86_64
Comment 1 Daniel Walsh 2010-06-14 18:58:58 EDT
allow postfix_postqueue_t nagios_mail_plugin_t:fifo_file { write getattr };
allow postfix_postqueue_t nagios_mail_plugin_t:process sigchld;

We need a way in policy to handle this type of inheritance.

nagios_mail_plugin_t -> send_mail_t -> postfix_t -> postfilx_postque_t
Comment 2 Daniel Walsh 2010-06-14 19:03:15 EDT
Miroslav, If you add 

mta_mailserver_user_agent(postfix_postqueue_t)

Should solve this.
Comment 3 Miroslav Grepl 2010-06-23 03:50:49 EDT
Fixed in selinux-policy-3.6.32-119.fc12
Comment 4 Fedora Update System 2010-06-30 15:53:57 EDT
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 5 Fedora Update System 2010-07-01 14:47:44 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
Comment 6 Fedora Update System 2010-07-06 13:06:13 EDT
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.