+++ This bug was initially created as a clone of Bug #720105 +++

SELinux is preventing /usr/libexec/postfix/qmgr from 'write' accesses on the dossier /var/spool/postfix/deferred/8.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that qmgr should be allowed write access on the 8 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qmgr /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:postfix_qmgr_t:s0
Target Context                system_u:object_r:postfix_spool_maildrop_t:s0
Target Objects                /var/spool/postfix/deferred/8 [ dir ]
Source                        qmgr
Source Path                   /usr/libexec/postfix/qmgr
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           postfix-2.8.3-1.fc16
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-2.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.0-0.rc5.git0.1.fc16.x86_64 #1
                              SMP Tue Jun 28 04:06:31 UTC 2011 x86_64 x86_64
Alert Count                   118
First Seen                    lun. 04 juil. 2011 10:49:10 CEST
Last Seen                     lun. 04 juil. 2011 16:46:01 CEST
Local ID                      cd40ac75-014f-4d00-8b6c-5f809dc8da01

Raw Audit Messages
type=AVC msg=audit(1309790761.410:16833): avc:  denied  { write } for  pid=21272 comm="qmgr" name="8" dev=dm-1 ino=151244 scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


type=SYSCALL msg=audit(1309790761.410:16833): arch=x86_64 syscall=rename success=no exit=EACCES a0=7fc801d41440 a1=7fc801d420d0 a2=7fc801d44750 a3=7fff41be1b20 items=0 ppid=1481 pid=21272 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)

Hash: qmgr,postfix_qmgr_t,postfix_spool_maildrop_t,dir,write

audit2allow

#============= postfix_qmgr_t ==============
#!!!! The source type 'postfix_qmgr_t' can write to a 'dir' of the following types:
# var_spool_t, var_run_t, postfix_spool_t, tmp_t, postfix_qmgr_tmp_t

allow postfix_qmgr_t postfix_spool_maildrop_t:dir write;

audit2allow -R

#============= postfix_qmgr_t ==============
#!!!! The source type 'postfix_qmgr_t' can write to a 'dir' of the following types:
# var_spool_t, var_run_t, postfix_spool_t, tmp_t, postfix_qmgr_tmp_t

allow postfix_qmgr_t postfix_spool_maildrop_t:dir write;

--- Additional comment from dwalsh on 2011-07-11 17:55:23 EDT ---

Fixed in selinux-policy-3.10.0-3.fc16

--- Additional comment from dwalsh on 2011-07-11 18:03:52 EDT ---

*** Bug 713908 has been marked as a duplicate of this bug. ***

--- Additional comment from uckelman on 2011-07-15 14:09:35 EDT ---

This is also a problem in Fedora 15. Will this be backported?

--- Additional comment from amessina on 2011-07-31 20:00:48 EDT ---

(In reply to comment #3)
> This is also a problem in Fedora 15. Will this be backported?

Dan or Miroslav, will this fix be applied to F15?  It continues to be a problem which, with the sheer number of AVC denials, is almost like a DOS attack, as the number of deferreals increase, the number of AVCs generated (and emailed) create further deferrals and moreAVCs.