Bug 709921 - AVC denial for Postfix proceeses tlsmgr, smtpd & pickup
Summary: AVC denial for Postfix proceeses tlsmgr, smtpd & pickup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 15
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-02 01:25 UTC by thomas
Modified: 2011-06-24 03:54 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.9.16-30.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-24 03:54:54 UTC


Attachments (Terms of Use)

Description thomas 2011-06-02 01:25:04 UTC
Description of problem:

When starting the postfix service with SELINUX_POLICY=Enforcing, I get the following AVC errors and neither of the 3 processes mentioned in the Summary line are started properly (all need to chroot into /var/spool/postfix, AFIK).

type=SERVICE_START msg=audit(1306977616.097:282): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="postfix" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1306977616.191:283): avc:  denied  { sys_chroot } for  pid=24567 comm="pickup" capability=18  scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=capability
type=SYSCALL msg=audit(1306977616.191:283): arch=c000003e syscall=161 success=no exit=-1 a0=7f23a510a100 a1=0 a2=7f23a213b238 a3=7fff9fd91c80 items=0 ppid=24565 pid=24567 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1306977620.365:284): avc:  denied  { read } for  pid=24569 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1306977620.365:284): arch=c000003e syscall=4 success=no exit=-13 a0=7fd80ed7cf25 a1=7fffebf92a50 a2=7fffebf92a50 a3=7fffebf927a0 items=0 ppid=24565 pid=24569 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1306977620.369:285): avc:  denied  { read } for  pid=24571 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1306977620.369:285): arch=c000003e syscall=4 success=no exit=-13 a0=7ff1ffe96fd5 a1=7fff2c1be190 a2=7fff2c1be190 a3=7fff2c1bdee0 items=0 ppid=24565 pid=24571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1306977620.372:286): avc:  denied  { read } for  pid=24570 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1306977620.372:286): arch=c000003e syscall=4 success=no exit=-13 a0=7fb21a6bc015 a1=7fffb7724850 a2=7fffb7724850 a3=7fffb77245a0 items=0 ppid=24565 pid=24570 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1306977620.438:287): avc:  denied  { sys_chroot } for  pid=24574 comm="tlsmgr" capability=18  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability
type=SYSCALL msg=audit(1306977620.438:287): arch=c000003e syscall=161 success=no exit=-1 a0=7f0aa904c100 a1=0 a2=7f0aa5df7238 a3=7fffd4e27760 items=0 ppid=24565 pid=24574 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="tlsmgr" exe="/usr/libexec/postfix/tlsmgr" subj=system_u:system_r:postfix_master_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1306977638.534:288): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="postfix" exe="/bin/systemd" hostname=? addr=? terminal=? res=success'


Version-Release number of selected component (if applicable):

# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.9.16-24.fc15.noarch
selinux-policy-3.9.16-24.fc15.noarch

# rpm -qa | grep postfix
postfix-2.8.3-1.fc15.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. Upgraded to Fedora 15 from Fedora 14
2. Started postfix service
3. AVC errors logged
  
Actual results:

 Postfix doesn't fully start up

Expected results:

Functioning Postfix system (x64)

Additional info:
N/A

Comment 1 Miroslav Grepl 2011-06-02 10:33:58 UTC
Fixed in selinux-policy-3.9.16-27.fc15

Comment 2 thomas 2011-06-02 10:45:52 UTC
Is there an ETA for when it will be available in updates-testing?

Comment 3 Miroslav Grepl 2011-06-02 11:03:15 UTC
It will be in updates-testing as soon as selinux-policy-3.9.16-26.fc15 goes from testing to stable.

But I will provide a new build today or tomorrow. Or you can allow it for now using

# grep postfix /var/log/audit/audit.log | audit2allow -M mypostfix
# semodule -i mypostfix.pp

Comment 4 Fedora Update System 2011-06-10 10:50:34 UTC
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15

Comment 5 Fedora Update System 2011-06-11 04:29:49 UTC
Package selinux-policy-3.9.16-29.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-06-21 17:31:57 UTC
Package selinux-policy-3.9.16-30.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2011-06-24 03:53:23 UTC
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.