Description of problem: Using the nagios check_mailqueue plugin, gives the following AVCs: type=AVC msg=audit(1276440026.233:151): avc: denied { write } for pid=3044 comm="postqueue" path="pipe:[83505]" dev=pipefs ino=83505 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1276440026.233:151): arch=c000003e syscall=59 success=yes exit=0 a0=7f658789c040 a1=7f658789c0a0 a2=7f658789be70 a3=7fff87d68320 items=2 ppid=3043 pid=3044 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=90 sgid=90 fsgid=90 tty=(none) ses=10 comm="postqueue" exe="/usr/sbin/postqueue" subj=unconfined_u:system_r:postfix_postqueue_t:s0 key=(null) type=EXECVE msg=audit(1276440026.233:151): argc=2 a0="postqueue" a1="-p" type=CWD msg=audit(1276440026.233:151): cwd="/var/spool/postfix" type=PATH msg=audit(1276440026.233:151): item=0 name="/usr/sbin/postqueue" inode=19474 dev=fc:01 mode=0102755 ouid=0 ogid=90 rdev=00:00 obj=system_u:object_r:postfix_postqueue_exec_t:s0 type=PATH msg=audit(1276440026.233:151): item=1 name=(null) inode=5427 dev=fc:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=AVC msg=audit(1276440026.268:152): avc: denied { getattr } for pid=3044 comm="postqueue" path="pipe:[83505]" dev=pipefs ino=83505 scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1276440026.268:152): arch=c000003e syscall=5 success=yes exit=128 a0=1 a1=7fff6f9488f0 a2=7fff6f9488f0 a3=7fff6f948680 items=0 ppid=3043 pid=3044 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=90 sgid=90 fsgid=90 tty=(none) ses=10 comm="postqueue" exe="/usr/sbin/postqueue" subj=unconfined_u:system_r:postfix_postqueue_t:s0 key=(null) type=AVC msg=audit(1276440026.476:153): avc: denied { sigchld } for pid=3043 comm="check_mailq" scontext=unconfined_u:system_r:postfix_postqueue_t:s0 tcontext=unconfined_u:system_r:nagios_mail_plugin_t:s0 tclass=process type=SYSCALL msg=audit(1276440026.476:153): arch=c000003e syscall=61 success=yes exit=3044 a0=be4 a1=7fff30cdfd1c a2=0 a3=0 items=0 ppid=3042 pid=3043 auid=10001 uid=497 gid=493 euid=497 suid=497 fsuid=497 egid=493 sgid=493 fsgid=493 tty=(none) ses=10 comm="check_mailq" exe="/usr/bin/perl" subj=unconfined_u:system_r:nagios_mail_plugin_t:s0 key=(null) Version-Release number of selected component (if applicable): [root@mirror1a ~]# rpm -q nagios-plugins-mailq selinux-policy-targeted nagios-plugins-mailq-1.4.14-3.fc12.1.x86_64 selinux-policy-targeted-3.6.32-116.fc12.noarch [root@mirror1a ~]# uname -r 2.6.32.12-115.fc12.x86_64
allow postfix_postqueue_t nagios_mail_plugin_t:fifo_file { write getattr }; allow postfix_postqueue_t nagios_mail_plugin_t:process sigchld; We need a way in policy to handle this type of inheritance. nagios_mail_plugin_t -> send_mail_t -> postfix_t -> postfilx_postque_t
Miroslav, If you add mta_mailserver_user_agent(postfix_postqueue_t) Should solve this.
Fixed in selinux-policy-3.6.32-119.fc12
selinux-policy-3.7.19-33.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-33.fc13
selinux-policy-3.7.19-33.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.