Bug 720105 - SELinux is preventing /usr/libexec/postfix/qmgr from 'write' accesses on the dossier /var/spool/postfix/deferred/8.
Summary: SELinux is preventing /usr/libexec/postfix/qmgr from 'write' accesses on the ...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:5a74cfac6a5...
: 713908 (view as bug list)
Depends On:
Blocks: 727162
TreeView+ depends on / blocked
 
Reported: 2011-07-09 12:08 UTC by Nicolas Mailhot
Modified: 2011-08-02 18:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 727162 (view as bug list)
Environment:
Last Closed: 2011-08-02 18:53:12 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Mailhot 2011-07-09 12:08:02 UTC 
SELinux is preventing /usr/libexec/postfix/qmgr from 'write' accesses on the dossier /var/spool/postfix/deferred/8.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qmgr should be allowed write access on the 8 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qmgr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_qmgr_t:s0
Target Context                system_u:object_r:postfix_spool_maildrop_t:s0
Target Objects                /var/spool/postfix/deferred/8 [ dir ]
Source                        qmgr
Source Path                   /usr/libexec/postfix/qmgr
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           postfix-2.8.3-1.fc16
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-2.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.0-0.rc5.git0.1.fc16.x86_64 #1
                              SMP Tue Jun 28 04:06:31 UTC 2011 x86_64 x86_64
Alert Count                   118
First Seen                    lun. 04 juil. 2011 10:49:10 CEST
Last Seen                     lun. 04 juil. 2011 16:46:01 CEST
Local ID                      cd40ac75-014f-4d00-8b6c-5f809dc8da01

Raw Audit Messages
type=AVC msg=audit(1309790761.410:16833): avc:  denied  { write } for  pid=21272 comm="qmgr" name="8" dev=dm-1 ino=151244 scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


type=SYSCALL msg=audit(1309790761.410:16833): arch=x86_64 syscall=rename success=no exit=EACCES a0=7fc801d41440 a1=7fc801d420d0 a2=7fc801d44750 a3=7fff41be1b20 items=0 ppid=1481 pid=21272 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)

Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,write

audit2allow

#============= postfix_qmgr_t ==============
#!!!! The source type 'postfix_qmgr_t' can write to a 'dir' of the following types:
# var_spool_t, var_run_t, postfix_spool_t, tmp_t, postfix_qmgr_tmp_t

allow postfix_qmgr_t postfix_spool_maildrop_t:dir write;

audit2allow -R

#============= postfix_qmgr_t ==============
#!!!! The source type 'postfix_qmgr_t' can write to a 'dir' of the following types:
# var_spool_t, var_run_t, postfix_spool_t, tmp_t, postfix_qmgr_tmp_t

allow postfix_qmgr_t postfix_spool_maildrop_t:dir write;
Comment 1 Daniel Walsh 2011-07-11 21:55:23 UTC 
Fixed in selinux-policy-3.10.0-3.fc16
Comment 2 Daniel Walsh 2011-07-11 22:03:52 UTC 
*** Bug 713908 has been marked as a duplicate of this bug. ***
Comment 3 Joel Uckelman 2011-07-15 18:09:35 UTC 
This is also a problem in Fedora 15. Will this be backported?
Comment 4 Anthony Messina 2011-08-01 00:00:48 UTC 
(In reply to comment #3)
> This is also a problem in Fedora 15. Will this be backported?

Dan or Miroslav, will this fix be applied to F15?  It continues to be a problem which, with the sheer number of AVC denials, is almost like a DOS attack, as the number of deferreals increase, the number of AVCs generated (and emailed) create further deferrals and moreAVCs.
Comment 5 Daniel Walsh 2011-08-02 18:52:26 UTC 
Miroslav can you back port the fix.
Note You need to log in before you can comment on or make changes to this bug.