Bug 720869 - SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup.
Summary: SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:36a4a94679b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-13 03:27 UTC by DAKSH
Modified: 2011-07-18 22:32 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-34.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-18 22:32:33 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description DAKSH 2011-07-13 03:27:06 UTC
SELinux is preventing /usr/libexec/postfix/master from 'read' accesses on the fifo_file /var/spool/postfix/public/pickup.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that master should be allowed read access on the pickup fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep master /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_master_t:s0
Target Context                system_u:object_r:postfix_spool_t:s0
Target Objects                /var/spool/postfix/public/pickup [ fifo_file ]
Source                        master
Source Path                   /usr/libexec/postfix/master
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           postfix-2.8.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-32.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
                              Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 13 Jul 2011 08:48:32 AM IST
Last Seen                     Wed 13 Jul 2011 08:48:32 AM IST
Local ID                      80aab5df-1ed5-4b07-a3ec-ca681576932a

Raw Audit Messages
type=AVC msg=audit(1310527112.976:158): avc:  denied  { read } for  pid=7887 comm="master" name="pickup" dev=sda8 ino=786514 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=fifo_file


type=SYSCALL msg=audit(1310527112.976:158): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3b8bc1e260 a1=802 a2=0 a3=7fff18c32a60 items=0 ppid=1 pid=7887 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=master exe=/usr/libexec/postfix/master subj=system_u:system_r:postfix_master_t:s0 key=(null)

Hash: master,postfix_master_t,postfix_spool_t,fifo_file,read

audit2allow

#============= postfix_master_t ==============
allow postfix_master_t postfix_spool_t:fifo_file read;

audit2allow -R

#============= postfix_master_t ==============
allow postfix_master_t postfix_spool_t:fifo_file read;

Comment 1 Miroslav Grepl 2011-07-13 10:03:20 UTC
/var/spool/postfix/public/pickup is mislabeled. What does

# ls -dZ /var/spool/postfix/public



# restorecon -R -v /var/spool/postfix/public

will fix it.

Comment 2 DAKSH 2011-07-13 13:47:40 UTC
ls -dZ /var/spool/postfix/public showing this.
drwx--x---. postfix postdrop system_u:object_r:postfix_public_t:s0 /var/spool/postfix/public

I tried with restorecon -R -v /var/spool/postfix/public

Now I got this


ELinux is preventing /usr/libexec/postfix/qmgr from add_name access on the directory 7.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qmgr should be allowed add_name access on the 7 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qmgr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_qmgr_t:s0
Target Context                system_u:object_r:postfix_spool_maildrop_t:s0
Target Objects                7 [ dir ]
Source                        qmgr
Source Path                   /usr/libexec/postfix/qmgr
Port                          <Unknown>
Host                          localhost
Source RPM Packages           postfix-2.8.3-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-32.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
                              Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 13 Jul 2011 07:09:15 PM IST
Last Seen                     Wed 13 Jul 2011 07:09:15 PM IST
Local ID                      43e292ee-2b29-4410-92c8-4a4c94acfe22

Raw Audit Messages
type=AVC msg=audit(1310564355.260:94): avc:  denied  { add_name } for  pid=2821 comm="qmgr" name="7" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


type=SYSCALL msg=audit(1310564355.260:94): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7fa1cde2b7e0 a1=1c0 a2=ffffffffffffff80 a3=7ffff79c8160 items=0 ppid=1488 pid=2821 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)

Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,add_name

audit2allow

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;

audit2allow -R

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t postfix_spool_maildrop_t:dir add_name;

Comment 3 Miroslav Grepl 2011-07-13 14:04:59 UTC
Yes, this is known issue.

You can execute

# semanage permissive -a postfix_qmgr_t

as workaround for now. Will make postfix_qmgr_t domain permissive.

Comment 4 DAKSH 2011-07-13 15:25:02 UTC
It's driving me crazy each and every minutes sealert appearing. But can't take the risk to disable selinux.

Comment 5 DAKSH 2011-07-13 16:08:05 UTC
Now I am getting this 

SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory /var/lib/mysql.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that smtpd should be allowed search access on the mysql directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep smtpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:mysqld_db_t:s0
Target Objects                /var/lib/mysql [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           postfix-2.8.3-1.fc15
Target RPM Packages           mysql-server-5.5.13-2.fc15
Policy RPM                    selinux-policy-3.9.16-32.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 2.6.38.8-35.fc15.x86_64 #1 SMP Wed
                              Jul 6 13:58:54 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 13 Jul 2011 09:27:20 PM IST
Last Seen                     Wed 13 Jul 2011 09:30:25 PM IST
Local ID                      982a0741-2118-43d8-97a1-5aa750f29768

Raw Audit Messages
type=AVC msg=audit(1310572825.293:289): avc:  denied  { search } for  pid=12021 comm="smtpd" name="mysql" dev=sda8 ino=399311 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir


type=SYSCALL msg=audit(1310572825.293:289): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffbf49a6f0 a2=6e a3=7fffbf49a220 items=0 ppid=12016 pid=12021 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

Hash: smtpd,postfix_smtpd_t,mysqld_db_t,dir,search

audit2allow

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;

audit2allow -R

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t mysqld_db_t:dir search;

Comment 6 Daniel Walsh 2011-07-13 17:58:31 UTC
Are you mailing something out of mysqld_db_t?

Comment 7 DAKSH 2011-07-13 18:13:25 UTC
no actually I am setting up postfix for virtual mailbox with mysql

Comment 8 Miroslav Grepl 2011-07-14 10:45:16 UTC
if you execute

# semanage permissive -a postfix_smtpd_t

which avc msgs are you getting then?

Comment 9 DAKSH 2011-07-14 15:24:22 UTC
I did after I posted last comment but selinux again pointing on that postfix_qmgr_t so I tried again semanage semanage permissive -a postfix_qmgr_t
than again selinux pointing on postfix_smtpd_t after semanage postfix_smtpd_t then again postfix_qmgr_t.
Practically it's turning clockwise. I think this is a bug(may be I do not much about linux development and selinux) is there any way to fix it?

Comment 10 Miroslav Grepl 2011-07-14 15:41:11 UTC
Well, this command won't fix it. It makes a domain as permissive domain. So a service will work and we will see avc msgs. Which is what I would like to see.

Comment 11 DAKSH 2011-07-14 16:56:29 UTC
so what I suppose to do. I am asking because may be I am using fedora since fedora core 8 but i am very much new to hosting or server administration. Can you tell me what should I do know?

Comment 12 DAKSH 2011-07-14 17:01:45 UTC
trying with semanage permissive -a postfix_t

Comment 13 Miroslav Grepl 2011-07-15 14:42:38 UTC
Fixed in selinux-policy-3.9.16-34.fc15


Please give me your output of

# semanage permissive -l |grep postfix

Comment 14 DAKSH 2011-07-15 15:24:41 UTC
semanage permissive -l |grep postfix
/usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed.

I have created at least 10 local policies to work with. Till now from tomorrow Sealeart has not shown up yet.

Comment 15 Miroslav Grepl 2011-07-15 15:27:22 UTC
You need to run this command as root

su -c 'semanage permissive -l |grep postfix'

I am just building a new F15 policy which should fix your issues.

Comment 16 Miroslav Grepl 2011-07-15 15:29:09 UTC
The new packages are available from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=252982

Comment 17 DAKSH 2011-07-15 15:30:47 UTC
Thanks Mirosalv.
I really appreciate your help

Comment 18 Fedora Update System 2011-07-15 15:43:49 UTC
selinux-policy-3.9.16-34.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15

Comment 19 Fedora Update System 2011-07-16 07:28:43 UTC
Package selinux-policy-3.9.16-34.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-34.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-34.fc15
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2011-07-18 22:31:09 UTC
selinux-policy-3.9.16-34.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.