Bug 627208 - postfix_local_t cannot read usr_t files
Summary: postfix_local_t cannot read usr_t files
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-25 11:51 UTC by Joel Uckelman
Modified: 2010-08-31 06:39 UTC (History)
0 users

Fixed In Version: selinux-policy-3.7.19-51.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-08-31 06:39:50 UTC
Type: ---

Attachments (Terms of Use)

Description Joel Uckelman 2010-08-25 11:51:49 UTC
Description of problem:

The postfix_local_t domain cannot read files in the usr_t context. One of the useful things which the postfix local delivery daemon (which runs in the postfix_local_t domain) can do is pipe mail sent to a local address to a script. If that script happens to be a Perl script which in turn loads some Perl modules, those modules will likely live under /usr/share/perl5 and have the usr_t context. If postfix_local_t lacks permission to read these files, then such scripts will fail.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use postfix for delivering your mail.
2. Add an alias to /etc/aliases mapping some address to a Perl script.
3. Load some modules in that script, e.g., "use LWP::UserAgent;".
4. Send some mail to the address.
Actual results:

Various AVCs.

Expected results:

No AVCs.

Additional info:

I worked around this problem by adding the following policy module: 

module local 1.0;

require {
  type postfix_local_t;
  type usr_t;
  class file { getattr read open ioctl };

#============= postfix_local_t ==============
allow postfix_local_t usr_t:file { getattr read open ioctl };

This was sufficient for my particular script to work properly.

Comment 1 Daniel Walsh 2010-08-25 13:36:28 UTC
Miroslav add


Comment 2 Fedora Update System 2010-08-25 15:36:43 UTC
selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13.

Comment 3 Joel Uckelman 2010-08-25 16:21:24 UTC
I tested selinux-policy-3.7.19-51.fc13 without my custom module. It works.

You guys are to be commended for your turnaround time on this---less than four hours! This is one of the reasons I love Fedora.

Comment 4 Fedora Update System 2010-08-26 00:59:28 UTC
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Comment 5 Fedora Update System 2010-08-31 06:38:37 UTC
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.