Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-312.el5 selinux-policy-targeted-2.4.6-312.el5 How reproducible: always Steps to Reproduce: * following automated test should succeed on RHEL-5.7 machine: /CoreOS/selinux-policy/Regression/bz530566-postfix-local-mail-delivery Actual results: * postfix is always able to deliver emails locally Expected results: * postfix is able to deliver emails locally if allow_postfix_local_write_mail_spool is on * postfix is not able to deliver emails locally if allow_postfix_local_write_mail_spool is off
relevant part of the automated test output: :: [ PASS ] :: Running 'setenforce 1' :: [ PASS ] :: Running 'setsebool allow_postfix_local_write_mail_spool on' Starting postfix: [ OK ] :: [ PASS ] :: Running 'service postfix start' :: [ PASS ] :: Running 'echo test-body-20207 | mail -s test-subject-14644 root@localhost' :: [ PASS ] :: Running 'postqueue -f' Subject: test-subject-14644 :: [ PASS ] :: Running 'grep -i test-subject-14644 /var/mail/root' test-body-20207 :: [ PASS ] :: Running 'grep -i test-body-20207 /var/mail/root' Shutting down postfix: [ OK ] :: [ PASS ] :: Running 'service postfix stop' <no matches> :: [ PASS ] :: Running 'ausearch -m AVC -ts 06/17/2011 10:39:28 > /tmp/tmp.VbNhx16054' :: [ PASS ] :: Running 'cat /tmp/tmp.VbNhx16054' :: [ PASS ] :: number of lines in /tmp/tmp.VbNhx16054 should be equal to 0 :: [ PASS ] :: Running 'setenforce 1' :: [ PASS ] :: Running 'setsebool allow_postfix_local_write_mail_spool off' Starting postfix: [ OK ] :: [ PASS ] :: Running 'service postfix start' :: [ PASS ] :: Running 'echo test-body-18370 | mail -s test-subject-2616 root@localhost' :: [ PASS ] :: Running 'postqueue -f' Subject: test-subject-2616 :: [ FAIL ] :: Running 'grep -i test-subject-2616 /var/mail/root' (Expected 1, got 0) test-body-18370 :: [ FAIL ] :: Running 'grep -i test-body-18370 /var/mail/root' (Expected 1, got 0) Shutting down postfix: [ OK ] :: [ PASS ] :: Running 'service postfix stop' <no matches> :: [ PASS ] :: Running 'ausearch -m AVC -ts 06/17/2011 10:39:38 > /tmp/tmp.VbNhx16054' :: [ PASS ] :: Running 'cat /tmp/tmp.VbNhx16054' :: [ FAIL ] :: number of lines in /tmp/tmp.VbNhx16054 should be greater than 0 (Assert: "0" should be greater than "0")
Do you have the AVC's generated?
No AVCs appeared on RHEL-5.7. If I run the same test on RHEL-6.1 machine AVCs appear in the second half of the output.
What does # sesearch -AC -s postfix_local_t -t mail_spool_t
# sesearch -AC -s postfix_local_t -t mail_spool_t Found 6 av rules: allow postfix_local_t mail_spool_t : file { ioctl read create getattr lock append unlink }; allow postfix_local_t mail_spool_t : dir { ioctl read write getattr lock add_name remove_name search }; allow postfix_local_t mail_spool_t : lnk_file { read create getattr }; DT allow postfix_local_t mail_spool_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ allow_postfix_local_write_mail_spool ] DT allow postfix_local_t mail_spool_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir }; [ allow_postfix_local_write_mail_spool ] DT allow postfix_local_t mail_spool_t : lnk_file { read create getattr setattr unlink link rename }; [ allow_postfix_local_write_mail_spool ] #
What AVC msgs are you getting on RHEL6.1?
The second half of the automated test executed on RHEL-6.1 generates following AVC: ---- time->Mon Jun 20 05:03:14 2011 type=SYSCALL msg=audit(1308560594.187:38143): arch=80000015 syscall=5 success=no exit=-13 a0=54a45de0 a1=c1 a2=0 a3=6b items=0 ppid=6097 pid=6117 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=12 sgid=0 fsgid=12 tty=(none) ses=1522 comm="local" exe="/usr/libexec/postfix/local" subj=unconfined_u:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1308560594.187:38143): avc: denied { write } for pid=6117 comm="local" name="root.lock" dev=dm-0 ino=919474 scontext=unconfined_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:mail_spool_t:s0 tclass=file ---- # rpm -qa selinux-policy\* selinux-policy-doc-3.7.19-93.el6.noarch selinux-policy-3.7.19-93.el6.noarch selinux-policy-minimum-3.7.19-93.el6.noarch selinux-policy-mls-3.7.19-93.el6.noarch selinux-policy-targeted-3.7.19-93.el6.noarch #
Strange, I do not see this in your output Found 6 av rules: allow postfix_local_t mail_spool_t : file { ioctl read create getattr lock append unlink }; allow postfix_local_t mail_spool_t : dir { ioctl read write getattr lock add_name remove_name search }; allow postfix_local_t mail_spool_t : lnk_file { read create getattr };
This bug needs a detailed investigation and testing. The fix could bring a regression. Moving to RHEL-5.8.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Milos, could you look at this one if this problem still persists?
Local mail delivery is blocked in both cases (1. the boolean is on, 2. the boolean is off), which is not a correct behaviour. The automated test produces following AVCs: ---- time->Mon Jul 16 07:51:23 2012 type=SYSCALL msg=audit(1342439483.505:84523): arch=40000003 syscall=5 success=no exit=-13 a0=98eb888 a1=18800 a2=806ff4 a3=98eb870 items=0 ppid=2027 pid=2033 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1342439483.505:84523): avc: denied { read } for pid=2033 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir ---- time->Mon Jul 16 07:51:39 2012 type=SYSCALL msg=audit(1342439499.402:84526): arch=40000003 syscall=5 success=no exit=-13 a0=9716888 a1=18800 a2=23dff4 a3=9716870 items=0 ppid=2193 pid=2199 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1342439499.402:84526): avc: denied { read } for pid=2199 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir ----
Seen in permissive mode: ---- time->Mon Jul 16 07:57:11 2012 type=SYSCALL msg=audit(1342439831.495:84548): arch=40000003 syscall=5 success=yes exit=9 a0=81c7890 a1=18800 a2=212ff4 a3=81c7878 items=0 ppid=3916 pid=3922 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1342439831.495:84548): avc: denied { read } for pid=3922 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir ---- time->Mon Jul 16 07:57:11 2012 type=SYSCALL msg=audit(1342439831.496:84549): arch=40000003 syscall=5 success=yes exit=8 a0=81c7850 a1=18800 a2=212ff4 a3=81c7838 items=0 ppid=3916 pid=3922 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=8407 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null) type=AVC msg=audit(1342439831.496:84549): avc: denied { search } for pid=3922 comm="qmgr" name="deferred" dev=dm-0 ino=3440649 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir ----
Could you try it with the latest -329.el5 build.
The latest AVC msgs are fixed in selinux-policy-2.4.6-330.el5
allow_postfix_local_write_mail_spool adds full manage permissions. Without these boolean you get different set of permissions on mail_spool_t which is a part of mta_mailserver_delivery() template interface. I am going to close this bug as WONFTIX.