741718 – SELinux errors for bounced messages from PostFix

Bug 741718 - SELinux errors for bounced messages from PostFix

Summary: SELinux errors for bounced messages from PostFix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-27 18:14 UTC by Daniel Scott
Modified:	2012-01-17 20:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.9.16-50.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-01-17 20:25:07 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Scott 2011-09-27 18:14:40 UTC

Description of problem:
Bounced mail messages are causing SELinux errors.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.16-38.fc15.noarch
postfix-2.8.4-2.fc15.i686

How reproducible:
Always

Steps to Reproduce:
1. Send mail with a problem which causes it to bounce
2.
3.
  
Actual results:

type=AVC msg=audit(1317146539.811:4502): avc:  denied  { getattr } for  pid=10794 comm="smtp" path="/var/spool/postfix/active/BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146539.812:4503): avc:  denied  { read write } for  pid=10794 comm="smtp" name="BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146540.841:4504): avc:  denied  { read write } for  pid=10861 comm="error" name="BF108C15DB" dev=dm-1 ino=792027 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
type=AVC msg=audit(1317146541.865:4505): avc:  denied  { search } for  pid=10862 comm="bounce" name="defer" dev=dm-1 ino=791984 scontext=system_u:system_r:postfix_bounce_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir


Expected results:
No errors

Additional info:

[root@fileserver2 ~]# ls -alZ /var/spool/postfix/active
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 .
drwxr-xr-x. root    root system_u:object_r:postfix_spool_t:s0 ..
[root@fileserver2 ~]#

Comment 1 Miroslav Grepl 2011-10-05 06:05:26 UTC

Fixed in selinux-policy-3.9.16-43.fc15

Comment 2 Brownout 2011-11-12 10:23:57 UTC

Back in Fedora 16, selinux-policy-3.10.0-55.fc16.

Comment 3 Miroslav Grepl 2011-11-14 13:45:11 UTC

What AVC msgs are you getting on Fedora16?

Comment 4 Brownout 2011-11-14 20:13:51 UTC

[71787.375389] type=1400 audit(1321298612.799:110): avc:  denied  { getattr } for  pid=13271 comm="smtp" path="/var/spool/postfix/active/73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.375581] type=1400 audit(1321298612.799:111): avc:  denied  { read write } for  pid=13271 comm="smtp" name="73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.387752] type=1400 audit(1321298612.811:112): avc:  denied  { getattr } for  pid=13273 comm="smtp" path="/var/spool/postfix/active/7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.387835] type=1400 audit(1321298612.811:113): avc:  denied  { read write } for  pid=13273 comm="smtp" name="7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71787.613555] forcedeth 0000:00:0a.0: irq 49 for MSI/MSI-X
[71788.399338] type=1400 audit(1321298613.823:114): avc:  denied  { read write } for  pid=13337 comm="error" name="73444A1A4E" dev=dm-1 ino=662094 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
[71788.418050] type=1400 audit(1321298613.841:115): avc:  denied  { read write } for  pid=13338 comm="error" name="7054CA1227" dev=dm-1 ino=660007 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

Comment 5 Miroslav Grepl 2011-11-15 09:03:17 UTC

I added fixes to F16.

Comment 6 Fedora Update System 2011-12-14 13:39:37 UTC

selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15

Comment 7 Fedora Update System 2011-12-14 23:29:36 UTC

Package selinux-policy-3.9.16-50.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-01-17 20:25:07 UTC

selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.