Bug 714184 - boolean allow_postfix_local_write_mail_spool has no effect on postfix local mail delivery
boolean allow_postfix_local_write_mail_spool has no effect on postfix local m...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-17 10:50 EDT by Milos Malik
Modified: 2012-10-15 10:28 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-12 07:06:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2011-06-17 10:50:24 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-312.el5
selinux-policy-targeted-2.4.6-312.el5

How reproducible:
always

Steps to Reproduce:
* following automated test should succeed on RHEL-5.7 machine:
/CoreOS/selinux-policy/Regression/bz530566-postfix-local-mail-delivery
  
Actual results:
* postfix is always able to deliver emails locally

Expected results:
* postfix is able to deliver emails locally if allow_postfix_local_write_mail_spool is on
* postfix is not able to deliver emails locally if allow_postfix_local_write_mail_spool is off
Comment 1 Milos Malik 2011-06-17 10:52:40 EDT
relevant part of the automated test output:

:: [   PASS   ] :: Running 'setenforce 1'
:: [   PASS   ] :: Running 'setsebool allow_postfix_local_write_mail_spool on'
Starting postfix: [  OK  ]
:: [   PASS   ] :: Running 'service postfix start'
:: [   PASS   ] :: Running 'echo test-body-20207 | mail -s test-subject-14644 root@localhost'
:: [   PASS   ] :: Running 'postqueue -f'
Subject: test-subject-14644
:: [   PASS   ] :: Running 'grep -i test-subject-14644 /var/mail/root'
test-body-20207
:: [   PASS   ] :: Running 'grep -i test-body-20207 /var/mail/root'
Shutting down postfix: [  OK  ]
:: [   PASS   ] :: Running 'service postfix stop'
<no matches>
:: [   PASS   ] :: Running 'ausearch -m AVC -ts 06/17/2011 10:39:28 > /tmp/tmp.VbNhx16054'
:: [   PASS   ] :: Running 'cat /tmp/tmp.VbNhx16054'
:: [   PASS   ] :: number of lines in /tmp/tmp.VbNhx16054 should be equal to 0

:: [   PASS   ] :: Running 'setenforce 1'
:: [   PASS   ] :: Running 'setsebool allow_postfix_local_write_mail_spool off'
Starting postfix: [  OK  ]
:: [   PASS   ] :: Running 'service postfix start'
:: [   PASS   ] :: Running 'echo test-body-18370 | mail -s test-subject-2616 root@localhost'
:: [   PASS   ] :: Running 'postqueue -f'
Subject: test-subject-2616
:: [   FAIL   ] :: Running 'grep -i test-subject-2616 /var/mail/root' (Expected 1, got 0)
test-body-18370
:: [   FAIL   ] :: Running 'grep -i test-body-18370 /var/mail/root' (Expected 1, got 0)
Shutting down postfix: [  OK  ]
:: [   PASS   ] :: Running 'service postfix stop'
<no matches>
:: [   PASS   ] :: Running 'ausearch -m AVC -ts 06/17/2011 10:39:38 > /tmp/tmp.VbNhx16054'
:: [   PASS   ] :: Running 'cat /tmp/tmp.VbNhx16054'
:: [   FAIL   ] :: number of lines in /tmp/tmp.VbNhx16054 should be greater than 0 (Assert: "0" should be greater than "0")
Comment 3 Daniel Walsh 2011-06-17 13:41:09 EDT
Do you have the AVC's generated?
Comment 4 Milos Malik 2011-06-20 03:08:50 EDT
No AVCs appeared on RHEL-5.7. If I run the same test on RHEL-6.1 machine AVCs appear in the second half of the output.
Comment 5 Miroslav Grepl 2011-06-20 04:10:44 EDT
What does

# sesearch -AC -s postfix_local_t -t mail_spool_t
Comment 6 Milos Malik 2011-06-20 04:24:05 EDT
# sesearch -AC -s postfix_local_t -t mail_spool_t
Found 6 av rules:
   allow postfix_local_t mail_spool_t : file { ioctl read create getattr lock append unlink }; 
   allow postfix_local_t mail_spool_t : dir { ioctl read write getattr lock add_name remove_name search }; 
   allow postfix_local_t mail_spool_t : lnk_file { read create getattr }; 
DT allow postfix_local_t mail_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ allow_postfix_local_write_mail_spool ]
DT allow postfix_local_t mail_spool_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; [ allow_postfix_local_write_mail_spool ]
DT allow postfix_local_t mail_spool_t : lnk_file { read create getattr setattr unlink link rename }; [ allow_postfix_local_write_mail_spool ]

#
Comment 7 Miroslav Grepl 2011-06-20 04:47:15 EDT
What AVC msgs are you getting on RHEL6.1?
Comment 8 Milos Malik 2011-06-20 05:07:11 EDT
The second half of the automated test executed on RHEL-6.1 generates following AVC:
----
time->Mon Jun 20 05:03:14 2011
type=SYSCALL msg=audit(1308560594.187:38143): arch=80000015 syscall=5 success=no exit=-13 a0=54a45de0 a1=c1 a2=0 a3=6b items=0 ppid=6097 pid=6117 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=12 sgid=0 fsgid=12 tty=(none) ses=1522 comm="local" exe="/usr/libexec/postfix/local" subj=unconfined_u:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1308560594.187:38143): avc:  denied  { write } for  pid=6117 comm="local" name="root.lock" dev=dm-0 ino=919474 scontext=unconfined_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:mail_spool_t:s0 tclass=file
----

# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-93.el6.noarch
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-minimum-3.7.19-93.el6.noarch
selinux-policy-mls-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
#
Comment 9 Miroslav Grepl 2011-06-20 07:20:30 EDT
Strange, I do not see this in your output

Found 6 av rules:
   allow postfix_local_t mail_spool_t : file { ioctl read create getattr lock
append unlink }; 
   allow postfix_local_t mail_spool_t : dir { ioctl read write getattr lock
add_name remove_name search }; 
   allow postfix_local_t mail_spool_t : lnk_file { read create getattr };
Comment 10 Milos Malik 2011-06-20 08:17:56 EDT
This bug needs a detailed investigation and testing. The fix could bring a regression. Moving to RHEL-5.8.
Comment 13 RHEL Product and Program Management 2012-04-02 07:21:36 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 15 Miroslav Grepl 2012-07-16 02:41:06 EDT
Milos,
could you look at this one if this problem still persists?
Comment 16 Milos Malik 2012-07-16 07:59:38 EDT
Local mail delivery is blocked in both cases (1. the boolean is on,  2. the boolean is off), which is not a correct behaviour. The automated test produces following AVCs:

----
time->Mon Jul 16 07:51:23 2012
type=SYSCALL msg=audit(1342439483.505:84523): arch=40000003 syscall=5 success=no exit=-13 a0=98eb888 a1=18800 a2=806ff4 a3=98eb870 items=0 ppid=2027 pid=2033 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1342439483.505:84523): avc:  denied  { read } for  pid=2033 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
time->Mon Jul 16 07:51:39 2012
type=SYSCALL msg=audit(1342439499.402:84526): arch=40000003 syscall=5 success=no exit=-13 a0=9716888 a1=18800 a2=23dff4 a3=9716870 items=0 ppid=2193 pid=2199 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1342439499.402:84526): avc:  denied  { read } for  pid=2199 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
Comment 17 Milos Malik 2012-07-16 08:01:45 EDT
Seen in permissive mode:
----
time->Mon Jul 16 07:57:11 2012
type=SYSCALL msg=audit(1342439831.495:84548): arch=40000003 syscall=5 success=yes exit=9 a0=81c7890 a1=18800 a2=212ff4 a3=81c7878 items=0 ppid=3916 pid=3922 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1342439831.495:84548): avc:  denied  { read } for  pid=3922 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
time->Mon Jul 16 07:57:11 2012
type=SYSCALL msg=audit(1342439831.496:84549): arch=40000003 syscall=5 success=yes exit=8 a0=81c7850 a1=18800 a2=212ff4 a3=81c7838 items=0 ppid=3916 pid=3922 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1342439831.496:84549): avc:  denied  { search } for  pid=3922 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
----
Comment 18 Miroslav Grepl 2012-07-16 08:07:51 EDT
Could you try it with the latest -329.el5 build.
Comment 20 Miroslav Grepl 2012-07-30 03:27:02 EDT
The latest AVC msgs are fixed in selinux-policy-2.4.6-330.el5
Comment 24 Miroslav Grepl 2012-09-12 07:06:40 EDT
allow_postfix_local_write_mail_spool adds full manage permissions. Without these boolean you get different set of permissions on mail_spool_t which is a part of mta_mailserver_delivery() template interface. I am going to close this bug as WONFTIX.

Note You need to log in before you can comment on or make changes to this bug.