Bug 682856
| Summary: | When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | David Hill <dhill> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.5 | CC: | dwalsh, janfrode, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-330.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-08 03:31:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Hill
2011-03-07 19:33:09 UTC
FYI: I´m seeing this sam problem on RHEL6 (postfix-2.6.6-2.el6.x86_64, selinux-policy-3.7.19-54.el6_0.3.noarch). Deferred messages are labeled postfix_spool_t, and we get the denial:
avc: denied { getattr } for pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
avc: denied { getattr } for pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
Running restorecon on the file resets the label to postfix_spool_maildrop_t, and the pickup can pick up the message.
We´ve reported this as Red Hat support ticket 00432903.
BTW: we didn´t notice this from using postsuper to requeue, but when postfix automatically deferred messages because it couldn´t relay the message via lmtp to a content-filter (amavisd-new) which was temporaily down. .. and a possible workaround might be to add "/var/spool/postfix/maildrop/*" to /etc/selinux/restorecond.conf and enable the restorecond service. I think I will do that while waiting for a proper fix. It seems to be the same problem as in Bug 719261, reassigning to selinux-policy. Yes, it looks so. This is probably that defferred directory problem we saw in RHEL6. The bug is not with the selinux policy... It seems to be with the way postsuper handles the files ... It seems as same problem as in RHEL-6 (bug 719261). Postfix uses mv, it is good for performance. I think it should be workarounded in selinux as was in RHEL-6, thus reassigning to selinux-policy. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Fixed in selinux-policy-2.4.6-330.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html |