Hide Forgot
Description of problem: When the MTA is the default postfix, mail to local user causes an selinux violation when postfix attempts to write its lockfile Version-Release number of selected component (if applicable): selinux-policy-targeted-3.9.7-29.fc14.noarch How reproducible: every time Steps to Reproduce: 1. $ mailx -s test <local user> test message . $ 2. note selinux denial within 1 second Actual results: selinux denial Expected results: normal email delivery Additional info: SELinux is preventing /usr/libexec/postfix/local from write access on the file john.lock. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow postfix_local domain full write access to mail_spool directories Then you must tell SELinux about this by enabling the 'allow_postfix_local_write_mail_spool' boolean. Do setsebool -P allow_postfix_local_write_mail_spool 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that local should be allowed write access on the john.lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep local /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:postfix_local_t:s0 Target Context unconfined_u:object_r:mail_spool_t:s0 Target Objects john.lock [ file ] Source local Source Path /usr/libexec/postfix/local Port <Unknown> Host john.mellor.dyndns.org Source RPM Packages postfix-2.7.1-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name john.mellor.dyndns.org Platform Linux john.mellor.dyndns.org 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 12 Feb 2011 09:51:11 AM EST Last Seen Sat 12 Feb 2011 09:51:11 AM EST Local ID e7798024-13df-412a-8e48-1c88b2e19f09 Raw Audit Messages type=AVC msg=audit(1297522271.519:97): avc: denied { write } for pid=7066 comm="local" name="john.lock" dev=dm-0 ino=1313543 scontext=unconfined_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:mail_spool_t:s0 tclass=file type=SYSCALL msg=audit(1297522271.519:97): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4eb8b6bf50 a1=c1 a2=0 a3=1 items=0 ppid=5403 pid=7066 auid=500 uid=0 gid=0 euid=500 suid=0 fsuid=500 egid=12 sgid=0 fsgid=12 tty=(none) ses=1 comm=local exe=/usr/libexec/postfix/local subj=unconfined_u:system_r:postfix_local_t:s0 key=(null) Hash: local,postfix_local_t,mail_spool_t,file,write audit2allow #============= postfix_local_t ============== #!!!! This avc can be allowed using the boolean 'allow_postfix_local_write_mail_spool' allow postfix_local_t mail_spool_t:file write; audit2allow -R #============= postfix_local_t ============== #!!!! This avc can be allowed using the boolean 'allow_postfix_local_write_mail_spool' allow postfix_local_t mail_spool_t:file write;
Why do you think this is a bug? Sealert tells you what to do. ----------- ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow postfix_local domain full write access to mail_spool directories Then you must tell SELinux about this by enabling the 'allow_postfix_local_write_mail_spool' boolean. Do setsebool -P allow_postfix_local_write_mail_spool 1 -------------
I disagree. You are supposed to have the choice of running sendmail or postfix right out of the box. I should not have to go through selinux hoops to work around incorrect security settings in between. Installing postfix should run the appropriate selinux tools to allow it to run properly. Its a postfix packaging bug, plainly.
But is it legitimate to run postfix without it able to write to the mail spool? I have no problem changing the default, as long as the most common setup is to allow it to write to the mail spool.
*** Bug 678744 has been marked as a duplicate of this bug. ***