Hide Forgot
Description of problem: Even when trying a trivial sending of a file via /usr/sbin/sendmail I get kicked out (originally I was hit with this when running git-send-mail). There doesn't seem to be any SELinux issue, and everything seems to be in default state as per package. When I switch git-send-mail to use localhost via port 25, then the message is send without a problem. bradford:~ $ cat xmpp-security.txt |/usr/sbin/sendmail -i mcepl sendmail: fatal: chdir /var/spool/postfix: Permission denied bradford:~ $ sudo ls -ldZ /var/spool/postfix drwxr-xr-x. root root system_u:object_r:postfix_spool_t:s0 /var/spool/postfix bradford:~ $ sudo ausearch -m AVC -ts recent bradford:~ $ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 bradford:~ $ Alsp: bradford:~# rpm -V postfix 5S.T..... c /etc/postfix/access 5S.T..... c /etc/postfix/header_checks 5S.T..... c /etc/postfix/main.cf 5S.T..... c /etc/postfix/master.cf 5S.T..... c /etc/postfix/transport 5S.T..... c /etc/postfix/virtual bradford:~# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases biff = no command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 4 default_destination_concurrency_limit = 200 default_destination_recipient_limit = 1000 html_directory = no inet_interfaces = loopback-only inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.8.3/README_FILES recipient_delimiter = + relayhost = smtp.o2isp.cz sample_directory = /usr/share/doc/postfix-2.8.3/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relayhost sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_password smtp_sasl_security_options = transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual bradford:~# Version-Release number of selected component (if applicable): postfix-2.8.3-1.fc15.x86_64 How reproducible: 100% Steps to Reproduce: 1.see above 2. 3. Actual results: mail is not send Expected results: it should be Additional info:
It is working on default F15 install with unconfined_u user. But it doesn't work with the staff_u user. It seems not to emit AVC in the enforcing mode. But I got the AVC in permissive mode by: # setenforce 0 $ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 $ echo test | /usr/bin/sendmail -i jskarvad # ausearch -m AVC -ts recent --- type=SYSCALL msg=audit(1308573783.738:119): arch=c000003e syscall=5 success=yes exit=0 a0=0 a1=7fff7636af30 a2=7fff7636af30 a3=7fff7636ac80 items=0 ppid=3080 pid=3081 auid=502 uid=502 gid=503 euid=502 suid=502 fsuid=502 egid=90 sgid=90 fsgid=90 tty=tty2 ses=2 comm="postdrop" exe="/usr/sbin/postdrop" subj=staff_u:staff_r:postfix_postdrop_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1308573783.738:119): avc: denied { getattr } for pid=3081 comm="postdrop" path="socket:[38850]" dev=sockfs ino=38850 scontext=staff_u:staff_r:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket
CCed SELinux guys to get their opinion.
I have no problem allowing this. I am surprised it is happening. Does bash create a unix_stream_socket for thipe from echo to sendmail? If you put the machine into permissive mode or postfix_postdrop_t into permissive mode, does it generate additional AVC messages?