SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that master should be allowed read access on the pickup fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep master /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_master_t:s0 Target Context system_u:object_r:postfix_spool_t:s0 Target Objects /var/spool/postfix/public/pickup [ fifo_file ] Source master Source Path /usr/libexec/postfix/master Port <Unknown> Host (removed) Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 13 Jul 2011 08:48:32 AM IST Last Seen Wed 13 Jul 2011 08:48:32 AM IST Local ID 80aab5df-1ed5-4b07-a3ec-ca681576932a Raw Audit Messages type=AVC msg=audit(1310527112.976:158): avc: denied { read } for pid=7887 comm="master" name="pickup" dev=sda8 ino=786514 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1310527112.976:158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3b8bc1e260 a1=802 a2=0 a3=7fff18c32a60 items=0 ppid=1 pid=7887 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=master exe=/usr/libexec/postfix/master subj=system_u:system_r:postfix_master_t:s0 key=(null) Hash: master,postfix_master_t,postfix_spool_t,fifo_file,read audit2allow #============= postfix_master_t ============== allow postfix_master_t postfix_spool_t:fifo_file read; audit2allow -R #============= postfix_master_t ============== allow postfix_master_t postfix_spool_t:fifo_file read;
/var/spool/postfix/public/pickup is mislabeled. What does # ls -dZ /var/spool/postfix/public # restorecon -R -v /var/spool/postfix/public will fix it.
ls -dZ /var/spool/postfix/public showing this. drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public I tried with restorecon -R -v /var/spool/postfix/public Now I got this ELinux is preventing /usr/libexec/postfix/qmgr from add_name access on the directory 7. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that qmgr should be allowed add_name access on the 7 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep qmgr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_qmgr_t:s0 Target Context system_u:object_r:postfix_spool_maildrop_t:s0 Target Objects 7 [ dir ] Source qmgr Source Path /usr/libexec/postfix/qmgr Port <Unknown> Host localhost Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Wed 13 Jul 2011 07:09:15 PM IST Last Seen Wed 13 Jul 2011 07:09:15 PM IST Local ID 43e292ee-2b29-4410-92c8-4a4c94acfe22 Raw Audit Messages type=AVC msg=audit(1310564355.260:94): avc: denied { add_name } for pid=2821 comm="qmgr" name="7" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir type=SYSCALL msg=audit(1310564355.260:94): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fa1cde2b7e0 a1=1c0 a2=ffffffffffffff80 a3=7ffff79c8160 items=0 ppid=1488 pid=2821 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null) Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,add_name audit2allow #============= postfix_qmgr_t ============== allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name; audit2allow -R #============= postfix_qmgr_t ============== allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;
Yes, this is known issue. You can execute # semanage permissive -a postfix_qmgr_t as workaround for now. Will make postfix_qmgr_t domain permissive.
It's driving me crazy each and every minutes sealert appearing. But can't take the risk to disable selinux.
Now I am getting this SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory /var/lib/mysql. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that smtpd should be allowed search access on the mysql directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep smtpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:postfix_smtpd_t:s0 Target Context system_u:object_r:mysqld_db_t:s0 Target Objects /var/lib/mysql [ dir ] Source smtpd Source Path /usr/libexec/postfix/smtpd Port <Unknown> Host localhost Source RPM Packages postfix-2.8.3-1.fc15 Target RPM Packages mysql-server-5.5.13-2.fc15 Policy RPM selinux-policy-3.9.16-32.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost Platform Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Wed 13 Jul 2011 09:27:20 PM IST Last Seen Wed 13 Jul 2011 09:30:25 PM IST Local ID 982a0741-2118-43d8-97a1-5aa750f29768 Raw Audit Messages type=AVC msg=audit(1310572825.293:289): avc: denied { search } for pid=12021 comm="smtpd" name="mysql" dev=sda8 ino=399311 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=SYSCALL msg=audit(1310572825.293:289): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffbf49a6f0 a2=6e a3=7fffbf49a220 items=0 ppid=12016 pid=12021 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) Hash: smtpd,postfix_smtpd_t,mysqld_db_t,dir,search audit2allow #============= postfix_smtpd_t ============== allow postfix_smtpd_t mysqld_db_t:dir search; audit2allow -R #============= postfix_smtpd_t ============== allow postfix_smtpd_t mysqld_db_t:dir search;
Are you mailing something out of mysqld_db_t?
no actually I am setting up postfix for virtual mailbox with mysql
if you execute # semanage permissive -a postfix_smtpd_t which avc msgs are you getting then?
I did after I posted last comment but selinux again pointing on that postfix_qmgr_t so I tried again semanage semanage permissive -a postfix_qmgr_t than again selinux pointing on postfix_smtpd_t after semanage postfix_smtpd_t then again postfix_qmgr_t. Practically it's turning clockwise. I think this is a bug(may be I do not much about linux development and selinux) is there any way to fix it?
Well, this command won't fix it. It makes a domain as permissive domain. So a service will work and we will see avc msgs. Which is what I would like to see.
so what I suppose to do. I am asking because may be I am using fedora since fedora core 8 but i am very much new to hosting or server administration. Can you tell me what should I do know?
trying with semanage permissive -a postfix_t
Fixed in selinux-policy-3.9.16-34.fc15 Please give me your output of # semanage permissive -l |grep postfix
semanage permissive -l |grep postfix /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. I have created at least 10 local policies to work with. Till now from tomorrow Sealeart has not shown up yet.
You need to run this command as root su -c 'semanage permissive -l |grep postfix' I am just building a new F15 policy which should fix your issues.
The new packages are available from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=252982
Thanks Mirosalv. I really appreciate your help
selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15
Package selinux-policy-3.9.16-34.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.