Bug 633705 - "postfix set-permissions" fails with SELinux denials
Summary: "postfix set-permissions" fails with SELinux denials
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-14 09:55 UTC by Mark Watts
Modified: 2012-10-15 14:46 UTC (History)
2 users (show)

(edit)
With SELinux running in the enforcing mode, using the "postfix set-permissions" command failed with the following error message:

  /etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied

With this update, the "postfix_domtrans_master(unconfined_t)" transition has been removed, and the above command no longer fails to run.
Clone Of:
(edit)
Last Closed: 2011-01-13 21:50:22 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Mark Watts 2010-09-14 09:55:43 UTC
Running "postfix set-permissions" results in the following log entries:


type=AVC msg=audit(1284456712.787:5563): avc:  denied  { execute } for  pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1284456712.787:5563): arch=40000003 syscall=11 success=no exit=-13 a0=8c1d230 a1=8c1d308 a2=8c12e98 a3=0 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null)

type=AVC msg=audit(1284456712.787:5564): avc:  denied  { execute } for  pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1284456712.787:5564): arch=40000003 syscall=33 success=no exit=-13 a0=8c1d230 a1=1 a2=11 a3=8c1d230 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null)

Comment 4 Miroslav Grepl 2010-11-09 18:01:42 UTC
Fixed in selinux-policy-2.4.6-291.el5

Comment 7 Jaromir Hradilek 2011-01-05 16:20:02 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, using the "postfix set-permissions" command failed with the following error message:

  /etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied

With this update, the "postfix_domtrans_master(unconfined_t)" transition has been removed, and the above command no longer fails to run.

Comment 9 errata-xmlrpc 2011-01-13 21:50:22 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.