Description of problem: I am trying to use postfix on a F14 system with SELinux targeted policy enabled. There are two problems with respect to ~/.forward files: 1) postfix local(8) cannot execute programs referenced by ~/.forward: $ cat .forward |"/home/kas/bin/handle_mail arg1 arg2 ..." Receiving mail then fails with the following error in /var/log/maillog: Jan 19 17:55:00 myhost postfix/local[10038]: 67FB8DF37C: to=<kas>, orig_to=<kas>, relay=local, delay=504, delays=504/0.02/0/0.08, dsn=4.3.0, status=deferred (temporary failure. Command output: local: fatal: execvp /home/kas/bin/handle_mail: Permission denied ) Audit2allow then recommends the following change: allow postfix_local_t home_bin_t:dir search; (which I guess would not be sufficient to run a script which then filters my incoming mail). 2) when the "recipient_delimiter = +" option is set in /etc/postfix/main.cf, postfix is supposed to deliver mail to user+extension@mydomain according to the ~user/.forward+extension file. On my system, ~/.forward gets labeled as mail_home_t, while ~/.forward+anything files are labeled as user_home_t. Version-Release number of selected component (if applicable): postfix-2.7.1-1.fc14.x86_64 selinux-policy-targeted-3.9.7-20.fc14.noarch Additional info: I think there should be a boolean to allow user script-handling of incoming mail, and probably the file context rules should be updated to include also .forward+* files.
Miroslav add userdom_exec_user_bin_files(postfix_local_t) and HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
Fixed in selinux-policy-3.9.7-24.fc14
Miroslav, thanks for the fast respone, but is it really fixed? This problem is not even mentioned in the changelog in Koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=214872 I have tried to test it: # rpm -Uvh selinux-policy-targeted-3.9.7-24.fc14.noarch.rpm selinux-policy-3.9.7-24.fc14.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-targeted########################################### [100%] # restorecon -R /home/kas # ls -lZa /home/kas/.forward* -rw-r--r--. kas staff unconfined_u:object_r:mail_home_t:s0 .forward -rw-r--r--. kas staff unconfined_u:object_r:user_home_t:s0 .forward+extension # echo test | mail -s test kas@mydomain # tail /var/log/maillog Jan 20 12:17:41 myhost local[12056]: fatal: execvp /home/kas/bin/handle_mail: Permission denied Jan 20 12:17:42 myhost postfix/local[12055]: CF6E2E03AF: to=<kas@mydomain>, relay=local, delay=0.2, delays=0.13/0.01/0/0.07, dsn=4.3.0, status=deferred (temporary failure. Command output: local: fatal: execvp /home/kas/bin/handle_mail: Permission denied ) # ls -dZ /home/kas /home/kas/bin /home/kas/bin/handle_mail drwx------. kas staff unconfined_u:object_r:user_home_dir_t:s0 /home/kas drwxr-xr-x. kas staff unconfined_u:object_r:home_bin_t:s0 /home/kas/bin -rwx------. kas staff unconfined_u:object_r:home_bin_t:s0 /home/kas/bin/handle_mail # tail /var/log/audit/audit.log |audit2allow #============= postfix_local_t ============== allow postfix_local_t home_bin_t:dir search;
Oops, I apologize. I meant "Fixed in selinux-policy-3.9.7-25.fc14". I will build this release later today.
selinux-policy-3.9.7-25.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-25.fc14
selinux-policy{,targeted}-3.9.7-25.fc14 works for me. Again, thanks for fast response!
Please update karma.
Done, assuming I did it correctly. I did not know about Fedora karma system before, so this is the first fime I have used fedora-easy-karma. Interesting.
Yes all updates have to wait a week before being pushed but if we get three thumbs up (Karma +1) it can get pushed earlier. Even if we don't get three having a couple makes us feel better about pushing an update. Thanks for testing.
selinux-policy-3.9.7-25.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.