Hide Forgot
I get the following when courier tries to spool a mail for local delivery (remote delivery works fine for some odd reason): type=USER_ACCT msg=audit(1317691201.253:96): user pid=9925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1317691201.253:97): user pid=9925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1317691201.254:98): pid=9925 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=15 type=USER_START msg=audit(1317691201.254:99): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=AVC msg=audit(1317691203.356:100): avc: denied { write } for pid=10186 comm="submit" name="socket" dev=dm-0 ino=7071 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file type=SYSCALL msg=audit(1317691203.356:100): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fffc076f7d0 a2=6e a3=7fffc076f4b0 items=0 ppid=10182 pid=10186 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=15 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) type=CRED_DISP msg=audit(1317691203.357:101): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1317691203.357:102): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Any chance you will get more AVC msgs if you execute # semanage permissive -a system_mail_t and then could you try to re-test it and run # ausearch -m avc -ts recent
I get one more: time->Mon Oct 17 13:54:01 2011 type=SYSCALL msg=audit(1318852441.246:4519): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fffd06bf3f0 a2=6e a3=7fffd06bf0d0 items=0 ppid=9777 pid=9778 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=720 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1318852441.246:4519): avc: denied { connectto } for pid=9778 comm="submit" path="/var/spool/authdaemon/socket" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1318852441.246:4519): avc: denied { write } for pid=9778 comm="submit" name="socket" dev=dm-0 ino=189 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file (oddly enough, ausearch shows thems in the opposite order from audit.log) It's also very strange that I can only reproduce this using cron. I tried using at, but it a) refuses to mail for root (?!), and b) successfully mails as another using without any AVC.
What does # ps -eZ |grep initrc
[root@thor ~]# ps -eZ | grep initrc unconfined_u:system_r:initrc_t:s0 2519 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 2520 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 2521 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 2522 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 2523 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 2524 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 2525 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 11350 ? 00:00:00 couriertls unconfined_u:system_r:initrc_t:s0 11351 ? 00:00:27 imapd unconfined_u:system_r:initrc_t:s0 11354 ? 00:00:00 gam_server unconfined_u:system_r:initrc_t:s0 15817 ? 00:00:00 courierfilter unconfined_u:system_r:initrc_t:s0 15819 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 15820 ? 00:00:00 pythonfilter unconfined_u:system_r:initrc_t:s0 15828 ? 00:00:00 courierd unconfined_u:system_r:initrc_t:s0 15842 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 15846 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 15849 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 15850 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 15855 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 15856 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 16698 ? 00:00:00 courierd unconfined_u:system_r:initrc_t:s0 16699 ? 00:00:00 courieruucp unconfined_u:system_r:initrc_t:s0 16700 ? 00:00:00 courierlocal unconfined_u:system_r:initrc_t:s0 16701 ? 00:00:00 courierfax unconfined_u:system_r:initrc_t:s0 16702 ? 00:00:00 courieresmtp unconfined_u:system_r:initrc_t:s0 16703 ? 00:00:00 courierdsn
What is your version of selinux-policy? # rpm -qf selinux-policy
# rpm -q selinux-policy Option -f should not be there.
Yes, typo. Thanks.
# rpm -qa selinux-policy\* selinux-policy-targeted-3.7.19-117.el6.noarch selinux-policy-3.7.19-117.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # seinfo -t | grep courier courier_var_lib_t courier_var_run_t courier_sqwebmail_t courier_exec_t courier_spool_t courier_pop_exec_t courier_pcp_exec_t courier_etc_t courier_authdaemon_exec_t courier_tcpd_exec_t courier_tcpd_t courier_sqwebmail_exec_t courier_authdaemon_t courier_pcp_t courier_pop_t # sesearch -s courier_t --allow ERROR: could not find datum for type courier_t # courier_exec_t is defined but courier_t is not.
Which is OK. mta_agent_executable(courier_exec_t) can_exec(courier_authdaemon_t, courier_exec_t)
Pierre, could you test it with the latest policy packages available from http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/
With the new policy it is just one AVC: ---- time->Mon Oct 24 21:17:01 2011 type=SYSCALL msg=audit(1319483821.715:6790): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff2d81f490 a2=6e a3=7fff2d81f170 items=0 ppid=15696 pid=15697 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=1094 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1319483821.715:6790): avc: denied { connectto } for pid=15697 comm="submit" path="/var/spool/authdaemon/socket" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
and what does # ps -efZ |grep initrc now?
[root@thor ~]# ps -efZ | grep initrc unconfined_u:system_r:initrc_t:s0 root 2519 1 0 Oct04 ? 00:00:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -start /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2520 2519 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2521 2520 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2522 2520 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2523 2520 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2524 2520 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 2525 2520 0 Oct04 ? 00:00:00 /usr/libexec/courier-authlib/authdaemond unconfined_u:system_r:initrc_t:s0 root 15160 15856 0 20:58 ? 00:00:00 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir unconfined_u:system_r:initrc_t:s0 daemon 15626 15828 0 21:13 ? 00:00:00 /usr/lib/courier/libexec/courier/courierd unconfined_u:system_r:initrc_t:s0 uucp 15627 15626 0 21:13 ? 00:00:00 ./courieruucp unconfined_u:system_r:initrc_t:s0 root 15628 15626 0 21:13 ? 00:00:00 ./courierlocal unconfined_u:system_r:initrc_t:s0 root 15629 15626 0 21:13 ? 00:00:00 ./courierfax unconfined_u:system_r:initrc_t:s0 daemon 15630 15626 0 21:13 ? 00:00:00 ./courieresmtp unconfined_u:system_r:initrc_t:s0 daemon 15631 15626 0 21:13 ? 00:00:00 ./courierdsn unconfined_u:system_r:initrc_t:s0 daemon 15817 1 0 Oct15 ? 00:00:00 /usr/lib/courier/sbin/courierfilter start unconfined_u:system_r:initrc_t:s0 daemon 15819 1 0 Oct15 ? 00:00:00 /usr/sbin/courierlogger courierfilter unconfined_u:system_r:initrc_t:s0 daemon 15820 15817 0 Oct15 ? 00:00:00 /usr/bin/python /etc/courier/filters/active/pythonfilter unconfined_u:system_r:initrc_t:s0 root 15828 1 0 Oct15 ? 00:00:00 /usr/lib/courier/libexec/courier/courierd unconfined_u:system_r:initrc_t:s0 daemon 15842 1 0 Oct15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd -stderrlogger=/usr/sbin/courierlogger -noidentlookup -user=daemon -group=daemon -block=zen.spamhaus.org,BLOCK -block=cbl.abuseat.org,BLOCK -block=bl.spamcop.net,BLOCK, -block=dnsbl.ahbl.org,BLOCK -access=/etc/courier/smtpaccess.dat -maxprocs=40 -maxperc=5 -maxperip=5 -pid=/var/spool/courier/tmp/esmtpd.pid smtp /usr/lib/courier/sbin/courieresmtpd unconfined_u:system_r:initrc_t:s0 daemon 15846 1 0 Oct15 ? 00:00:00 /usr/sbin/courierlogger courieresmtpd unconfined_u:system_r:initrc_t:s0 root 15849 1 0 Oct15 ? 00:00:00 /usr/sbin/courierlogger -pid=/var/spool/courier/tmp/imapd.pid -start -name=imapd /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir unconfined_u:system_r:initrc_t:s0 root 15850 15849 0 Oct15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir unconfined_u:system_r:initrc_t:s0 root 15855 1 0 Oct15 ? 00:00:00 /usr/sbin/courierlogger -pid=/var/spool/courier/tmp/imapd-ssl.pid -start -name=imapd-ssl /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir unconfined_u:system_r:initrc_t:s0 root 15856 15855 0 Oct15 ? 00:00:00 /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir I did not restart the courier service though. I guess I should have?
Restarted courier-authlib and courier. Still get the same AVC. And ps: [root@thor ~]# ps -eZ | grep initrc unconfined_u:system_r:initrc_t:s0 16204 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 16205 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16206 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16207 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16208 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16209 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16210 ? 00:00:00 authdaemond unconfined_u:system_r:initrc_t:s0 16245 ? 00:00:00 courierfilter unconfined_u:system_r:initrc_t:s0 16247 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 16248 ? 00:00:00 pythonfilter unconfined_u:system_r:initrc_t:s0 16256 ? 00:00:00 courierd unconfined_u:system_r:initrc_t:s0 16258 ? 00:00:00 courierd unconfined_u:system_r:initrc_t:s0 16260 ? 00:00:00 courieruucp unconfined_u:system_r:initrc_t:s0 16261 ? 00:00:00 courierlocal unconfined_u:system_r:initrc_t:s0 16262 ? 00:00:00 courierfax unconfined_u:system_r:initrc_t:s0 16263 ? 00:00:00 courieresmtp unconfined_u:system_r:initrc_t:s0 16264 ? 00:00:00 courierdsn unconfined_u:system_r:initrc_t:s0 16269 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 16272 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 16276 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 16277 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 16282 ? 00:00:00 courierlogger unconfined_u:system_r:initrc_t:s0 16283 ? 00:00:00 couriertcpd unconfined_u:system_r:initrc_t:s0 16298 ? 00:00:00 couriertls unconfined_u:system_r:initrc_t:s0 16299 ? 00:00:00 imapd unconfined_u:system_r:initrc_t:s0 16301 ? 00:00:00 gam_server
Ok, now I see paths which are different against paths in the policy.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
I believe we can leave these domains in this state and it can be fixed with a local policy for RHEL6. Closing this bug as WONTFIX for RHEL6.