Bug 674770 - SELinux is preventing /usr/libexec/postfix/pickup "module_request" access.
Summary: SELinux is preventing /usr/libexec/postfix/pickup "module_request" access.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: setroubleshoot
Version: 6.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks: 747120
TreeView+ depends on / blocked
 
Reported: 2011-02-03 09:20 UTC by lkt1215
Modified: 2011-12-06 09:49 UTC (History)
6 users (show)

Fixed In Version: setroubleshoot-3.0.31-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 09:49:02 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1509 0 normal SHIPPED_LIVE setroubleshoot bug fix update 2011-12-06 00:39:33 UTC

Description lkt1215 2011-02-03 09:20:33 UTC 
Summary:

SELinux is preventing /usr/libexec/postfix/pickup "module_request" access on <Unknown>.

Detailed Description:

SELinux denied access requested by pickup. The current boolean settings do not
allow this access. If you have not setup pickup to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
domain_kernel_load_modules is set incorrectly.
Boolean Description:
Allow all domains to have the kernel load modules


Fix Command:

# setsebool -P domain_kernel_load_modules 1

Additional Information:

Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                None [ system ]
Source                        pickup
Source Path                   /usr/libexec/postfix/pickup
Port                          <Unknown>
Host                          colder-el6
Source RPM Packages           postfix-2.6.6-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall_boolean
Host Name                     colder-el6
Platform                      Linux colder-el6 2.6.32-71.14.1.el6.x86_64 #1 SMP
                              Wed Jan 5 17:01:01 EST 2011 x86_64 x86_64
Alert Count                   9
First Seen                    Wed 02 Feb 2011 09:55:46 PM MSK
Last Seen                     Thu 03 Feb 2011 11:15:46 AM MSK
Local ID                      e56ddddd-cfbb-44d4-b8ca-3e7f999b7a66
Line Numbers                  

Raw Audit Messages            

node=colder-el6 type=AVC msg=audit(1296720946.530:34611): avc:  denied  { module_request } for  pid=26925 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

node=colder-el6 type=SYSCALL msg=audit(1296720946.530:34611): arch=c000003e syscall=41 success=no exit=-97 a0=a a1=1 a2=0 a3=7fffb3493940 items=0 ppid=1949 pid=26925 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
Comment 1 lkt1215 2011-02-03 09:23:23 UTC 
This  bug happens if IPv6 support is disabled. It was already fixed in Fedora 13 (Bug 527936) - probably needs backporting to RHEL6.
Comment 3 Daniel Walsh 2011-02-03 16:48:17 UTC 
There is no fix to this currently, There is a new version of setroubleshoot that ignores this error.

Could you look at

https://bugzilla.redhat.com/show_bug.cgi?id=641836


And see if this solution works for you.
Comment 4 lkt1215 2011-02-03 23:32:39 UTC 
Yes, this workaround works, however it would be much better to have this warning fixed specifically for ipv6 module, and not for all modules. 

Anyway I did not realise this package has the same maintainer for RHEL and Fedora and wanted to inform you, seeing as this problem was already closed in Fedora. I will wait for setroubleshoot to be updated then.

I'm not sure what to do with this bug now. Should I mark it as duplicate?
Comment 5 Daniel Walsh 2011-02-04 15:26:58 UTC 
No the fedora setroubleshoot will be backported to RHEL6.2
Comment 7 Daniel Walsh 2011-05-23 18:53:56 UTC 
Fixed in setroubleshoot-3.0.31-1.el6
Comment 9 Eduard Benes 2011-06-27 09:05:04 UTC 
Clearing qa_ack, setroubleshoot has been removed from 6.2 approved list.
Comment 11 Yury V. Zaytsev 2011-07-15 19:47:19 UTC 
Seeing this kind of errors for sshd, puppetmaster et al. after disabling IPV6 according to the following steps:

https://access.redhat.com/kb/docs/DOC-8711

Do I understand it correctly that the fix is on the way to RHEL6.2? Otherwise, would be nice to update this KB article.

Thanks!
Comment 17 Daniel Walsh 2011-10-27 14:51:15 UTC 
BTW I recently blogged on this issue.

http://danwalsh.livejournal.com/47118.html
Comment 21 errata-xmlrpc 2011-12-06 09:49:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1509.html
Note You need to log in before you can comment on or make changes to this bug.