Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 633705

Summary: "postfix set-permissions" fails with SELinux denials
Product: Red Hat Enterprise Linux 5 Reporter: Mark Watts <markrwatts>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-291.el5 Doc Type: Bug Fix
Doc Text:
With SELinux running in the enforcing mode, using the "postfix set-permissions" command failed with the following error message: /etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied With this update, the "postfix_domtrans_master(unconfined_t)" transition has been removed, and the above command no longer fails to run.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:50:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Watts 2010-09-14 09:55:43 UTC 
Running "postfix set-permissions" results in the following log entries:


type=AVC msg=audit(1284456712.787:5563): avc:  denied  { execute } for  pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1284456712.787:5563): arch=40000003 syscall=11 success=no exit=-13 a0=8c1d230 a1=8c1d308 a2=8c12e98 a3=0 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null)

type=AVC msg=audit(1284456712.787:5564): avc:  denied  { execute } for  pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1284456712.787:5564): arch=40000003 syscall=33 success=no exit=-13 a0=8c1d230 a1=1 a2=11 a3=8c1d230 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null)
Comment 4 Miroslav Grepl 2010-11-09 18:01:42 UTC 
Fixed in selinux-policy-2.4.6-291.el5
Comment 7 Jaromir Hradilek 2011-01-05 16:20:02 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
With SELinux running in the enforcing mode, using the "postfix set-permissions" command failed with the following error message:

  /etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied

With this update, the "postfix_domtrans_master(unconfined_t)" transition has been removed, and the above command no longer fails to run.
Comment 9 errata-xmlrpc 2011-01-13 21:50:22 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html