627208 – postfix_local_t cannot read usr_t files

Bug 627208 - postfix_local_t cannot read usr_t files

Summary: postfix_local_t cannot read usr_t files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	13
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-25 11:51 UTC by Joel Uckelman
Modified:	2010-08-31 06:39 UTC (History)
CC List:	0 users
Fixed In Version:	selinux-policy-3.7.19-51.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-08-31 06:39:50 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Joel Uckelman 2010-08-25 11:51:49 UTC

Description of problem:

The postfix_local_t domain cannot read files in the usr_t context. One of the useful things which the postfix local delivery daemon (which runs in the postfix_local_t domain) can do is pipe mail sent to a local address to a script. If that script happens to be a Perl script which in turn loads some Perl modules, those modules will likely live under /usr/share/perl5 and have the usr_t context. If postfix_local_t lacks permission to read these files, then such scripts will fail.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-47.fc13.noarch

How reproducible:

Always.

Steps to Reproduce:
1. Use postfix for delivering your mail.
2. Add an alias to /etc/aliases mapping some address to a Perl script.
3. Load some modules in that script, e.g., "use LWP::UserAgent;".
4. Send some mail to the address.
  
Actual results:

Various AVCs.

Expected results:

No AVCs.


Additional info:

I worked around this problem by adding the following policy module: 


module local 1.0;

require {
  type postfix_local_t;
  type usr_t;
  class file { getattr read open ioctl };
}

#============= postfix_local_t ==============
allow postfix_local_t usr_t:file { getattr read open ioctl };



This was sufficient for my particular script to work properly.

Comment 1 Daniel Walsh 2010-08-25 13:36:28 UTC

Miroslav add

	files_read_usr_files(postfix_$1_t)
to
`postfix_domain_template'

Comment 2 Fedora Update System 2010-08-25 15:36:43 UTC

selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Comment 3 Joel Uckelman 2010-08-25 16:21:24 UTC

I tested selinux-policy-3.7.19-51.fc13 without my custom module. It works.

You guys are to be commended for your turnaround time on this---less than four hours! This is one of the reasons I love Fedora.

Comment 4 Fedora Update System 2010-08-26 00:59:28 UTC

selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Comment 5 Fedora Update System 2010-08-31 06:38:37 UTC

selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.