Bug 746580 - Courier unable to deliver local mail
Summary: Courier unable to deliver local mail
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-17 06:48 UTC by Pierre Ossman
Modified: 2015-02-25 10:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-25 10:38:33 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Pierre Ossman 2011-10-17 06:48:14 UTC
I get the following when courier tries to spool a mail for local delivery (remote delivery works fine for some odd reason):

type=USER_ACCT msg=audit(1317691201.253:96): user pid=9925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1317691201.253:97): user pid=9925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1317691201.254:98): pid=9925 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=15
type=USER_START msg=audit(1317691201.254:99): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1317691203.356:100): avc:  denied  { write } for  pid=10186 comm="submit" name="socket" dev=dm-0 ino=7071 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1317691203.356:100): arch=c000003e syscall=42 success=no exit=-13 a0=8 a1=7fffc076f7d0 a2=6e a3=7fffc076f4b0 items=0 ppid=10182 pid=10186 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=15 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1317691203.357:101): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1317691203.357:102): user pid=9925 uid=0 auid=0 ses=15 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Comment 2 Miroslav Grepl 2011-10-17 07:37:04 UTC
Any chance you will get more AVC msgs if you execute

# semanage permissive -a system_mail_t

and then could you try to re-test it and run

# ausearch -m avc -ts recent

Comment 3 Pierre Ossman 2011-10-17 11:56:07 UTC
I get one more:

time->Mon Oct 17 13:54:01 2011
type=SYSCALL msg=audit(1318852441.246:4519): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fffd06bf3f0 a2=6e a3=7fffd06bf0d0 items=0 ppid=9777 pid=9778 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=720 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1318852441.246:4519): avc:  denied  { connectto } for  pid=9778 comm="submit" path="/var/spool/authdaemon/socket" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1318852441.246:4519): avc:  denied  { write } for  pid=9778 comm="submit" name="socket" dev=dm-0 ino=189 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:courier_spool_t:s0 tclass=sock_file

(oddly enough, ausearch shows thems in the opposite order from audit.log)

It's also very strange that I can only reproduce this using cron. I tried using at, but it a) refuses to mail for root (?!), and b) successfully mails as another using without any AVC.

Comment 4 Miroslav Grepl 2011-10-17 20:32:26 UTC
What does

# ps -eZ |grep initrc

Comment 5 Pierre Ossman 2011-10-18 05:32:20 UTC
[root@thor ~]# ps -eZ | grep initrc
unconfined_u:system_r:initrc_t:s0 2519 ?       00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 2520 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 2521 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 2522 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 2523 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 2524 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 2525 ?       00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 11350 ?      00:00:00 couriertls
unconfined_u:system_r:initrc_t:s0 11351 ?      00:00:27 imapd
unconfined_u:system_r:initrc_t:s0 11354 ?      00:00:00 gam_server
unconfined_u:system_r:initrc_t:s0 15817 ?      00:00:00 courierfilter
unconfined_u:system_r:initrc_t:s0 15819 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 15820 ?      00:00:00 pythonfilter
unconfined_u:system_r:initrc_t:s0 15828 ?      00:00:00 courierd
unconfined_u:system_r:initrc_t:s0 15842 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 15846 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 15849 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 15850 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 15855 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 15856 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 16698 ?      00:00:00 courierd
unconfined_u:system_r:initrc_t:s0 16699 ?      00:00:00 courieruucp
unconfined_u:system_r:initrc_t:s0 16700 ?      00:00:00 courierlocal
unconfined_u:system_r:initrc_t:s0 16701 ?      00:00:00 courierfax
unconfined_u:system_r:initrc_t:s0 16702 ?      00:00:00 courieresmtp
unconfined_u:system_r:initrc_t:s0 16703 ?      00:00:00 courierdsn

Comment 6 Miroslav Grepl 2011-10-18 09:37:57 UTC
What is your version of selinux-policy?

# rpm -qf selinux-policy

Comment 7 Milos Malik 2011-10-18 09:48:05 UTC
# rpm -q selinux-policy

Option -f should not be there.

Comment 8 Miroslav Grepl 2011-10-18 13:03:00 UTC
Yes, typo. Thanks.

Comment 10 Milos Malik 2011-10-19 09:58:51 UTC
# rpm -qa selinux-policy\*
selinux-policy-targeted-3.7.19-117.el6.noarch
selinux-policy-3.7.19-117.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# seinfo -t | grep courier
   courier_var_lib_t
   courier_var_run_t
   courier_sqwebmail_t
   courier_exec_t
   courier_spool_t
   courier_pop_exec_t
   courier_pcp_exec_t
   courier_etc_t
   courier_authdaemon_exec_t
   courier_tcpd_exec_t
   courier_tcpd_t
   courier_sqwebmail_exec_t
   courier_authdaemon_t
   courier_pcp_t
   courier_pop_t
# sesearch -s courier_t --allow
ERROR: could not find datum for type courier_t

# 

courier_exec_t is defined but courier_t is not.

Comment 11 Miroslav Grepl 2011-10-19 10:08:18 UTC
Which is OK.

mta_agent_executable(courier_exec_t)
can_exec(courier_authdaemon_t, courier_exec_t)

Comment 12 Miroslav Grepl 2011-10-19 13:42:54 UTC
Pierre,
could you test it with the latest policy packages available from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Comment 13 Pierre Ossman 2011-10-24 19:18:03 UTC
With the new policy it is just one AVC:

----
time->Mon Oct 24 21:17:01 2011
type=SYSCALL msg=audit(1319483821.715:6790): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff2d81f490 a2=6e a3=7fff2d81f170 items=0 ppid=15696 pid=15697 auid=0 uid=2 gid=2 euid=2 suid=2 fsuid=2 egid=2 sgid=2 fsgid=2 tty=(none) ses=1094 comm="submit" exe="/usr/lib/courier/libexec/courier/submit" subj=system_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1319483821.715:6790): avc:  denied  { connectto } for  pid=15697 comm="submit" path="/var/spool/authdaemon/socket" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Comment 14 Miroslav Grepl 2011-10-24 19:43:03 UTC
and what does

# ps -efZ |grep initrc

now?

Comment 15 Pierre Ossman 2011-10-24 20:00:48 UTC
[root@thor ~]# ps -efZ | grep initrc
unconfined_u:system_r:initrc_t:s0 root    2519     1  0 Oct04 ?        00:00:00 /usr/sbin/courierlogger -pid=/var/spool/authdaemon/pid -start /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2520  2519  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2521  2520  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2522  2520  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2523  2520  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2524  2520  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root    2525  2520  0 Oct04 ?        00:00:00 /usr/libexec/courier-authlib/authdaemond
unconfined_u:system_r:initrc_t:s0 root   15160 15856  0 20:58 ?        00:00:00 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir
unconfined_u:system_r:initrc_t:s0 daemon 15626 15828  0 21:13 ?        00:00:00 /usr/lib/courier/libexec/courier/courierd
unconfined_u:system_r:initrc_t:s0 uucp   15627 15626  0 21:13 ?        00:00:00 ./courieruucp
unconfined_u:system_r:initrc_t:s0 root   15628 15626  0 21:13 ?        00:00:00 ./courierlocal
unconfined_u:system_r:initrc_t:s0 root   15629 15626  0 21:13 ?        00:00:00 ./courierfax
unconfined_u:system_r:initrc_t:s0 daemon 15630 15626  0 21:13 ?        00:00:00 ./courieresmtp
unconfined_u:system_r:initrc_t:s0 daemon 15631 15626  0 21:13 ?        00:00:00 ./courierdsn
unconfined_u:system_r:initrc_t:s0 daemon 15817     1  0 Oct15 ?        00:00:00 /usr/lib/courier/sbin/courierfilter start
unconfined_u:system_r:initrc_t:s0 daemon 15819     1  0 Oct15 ?        00:00:00 /usr/sbin/courierlogger courierfilter
unconfined_u:system_r:initrc_t:s0 daemon 15820 15817  0 Oct15 ?        00:00:00 /usr/bin/python /etc/courier/filters/active/pythonfilter
unconfined_u:system_r:initrc_t:s0 root   15828     1  0 Oct15 ?        00:00:00 /usr/lib/courier/libexec/courier/courierd
unconfined_u:system_r:initrc_t:s0 daemon 15842     1  0 Oct15 ?        00:00:00 /usr/lib/courier/sbin/couriertcpd -stderrlogger=/usr/sbin/courierlogger -noidentlookup -user=daemon -group=daemon -block=zen.spamhaus.org,BLOCK -block=cbl.abuseat.org,BLOCK -block=bl.spamcop.net,BLOCK, -block=dnsbl.ahbl.org,BLOCK -access=/etc/courier/smtpaccess.dat -maxprocs=40 -maxperc=5 -maxperip=5 -pid=/var/spool/courier/tmp/esmtpd.pid smtp /usr/lib/courier/sbin/courieresmtpd
unconfined_u:system_r:initrc_t:s0 daemon 15846     1  0 Oct15 ?        00:00:00 /usr/sbin/courierlogger courieresmtpd
unconfined_u:system_r:initrc_t:s0 root   15849     1  0 Oct15 ?        00:00:00 /usr/sbin/courierlogger -pid=/var/spool/courier/tmp/imapd.pid -start -name=imapd /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir
unconfined_u:system_r:initrc_t:s0 root   15850 15849  0 Oct15 ?        00:00:00 /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 143 /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir
unconfined_u:system_r:initrc_t:s0 root   15855     1  0 Oct15 ?        00:00:00 /usr/sbin/courierlogger -pid=/var/spool/courier/tmp/imapd-ssl.pid -start -name=imapd-ssl /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir
unconfined_u:system_r:initrc_t:s0 root   15856 15855  0 Oct15 ?        00:00:00 /usr/lib/courier/sbin/couriertcpd -address=0 -maxprocs=40 -maxperip=4 -nodnslookup -noidentlookup 993 /usr/lib/courier/bin/couriertls -server -tcpd /usr/lib/courier/libexec/courier/imaplogin /usr/lib/courier/bin/imapd Maildir

I did not restart the courier service though. I guess I should have?

Comment 16 Pierre Ossman 2011-10-24 20:04:13 UTC
Restarted courier-authlib and courier. Still get the same AVC. And ps:

[root@thor ~]# ps -eZ | grep initrc
unconfined_u:system_r:initrc_t:s0 16204 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 16205 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16206 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16207 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16208 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16209 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16210 ?      00:00:00 authdaemond
unconfined_u:system_r:initrc_t:s0 16245 ?      00:00:00 courierfilter
unconfined_u:system_r:initrc_t:s0 16247 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 16248 ?      00:00:00 pythonfilter
unconfined_u:system_r:initrc_t:s0 16256 ?      00:00:00 courierd
unconfined_u:system_r:initrc_t:s0 16258 ?      00:00:00 courierd
unconfined_u:system_r:initrc_t:s0 16260 ?      00:00:00 courieruucp
unconfined_u:system_r:initrc_t:s0 16261 ?      00:00:00 courierlocal
unconfined_u:system_r:initrc_t:s0 16262 ?      00:00:00 courierfax
unconfined_u:system_r:initrc_t:s0 16263 ?      00:00:00 courieresmtp
unconfined_u:system_r:initrc_t:s0 16264 ?      00:00:00 courierdsn
unconfined_u:system_r:initrc_t:s0 16269 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 16272 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 16276 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 16277 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 16282 ?      00:00:00 courierlogger
unconfined_u:system_r:initrc_t:s0 16283 ?      00:00:00 couriertcpd
unconfined_u:system_r:initrc_t:s0 16298 ?      00:00:00 couriertls
unconfined_u:system_r:initrc_t:s0 16299 ?      00:00:00 imapd
unconfined_u:system_r:initrc_t:s0 16301 ?      00:00:00 gam_server

Comment 17 Miroslav Grepl 2011-10-24 20:15:27 UTC
Ok, now I see paths which are different against paths in the policy.

Comment 21 RHEL Program Management 2012-07-10 08:20:45 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 22 RHEL Program Management 2012-07-11 01:54:59 UTC
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 27 Miroslav Grepl 2015-02-25 10:38:33 UTC
I believe we can leave these domains in this state and it can be fixed with a local policy for RHEL6.

Closing this bug as WONTFIX for RHEL6.


Note You need to log in before you can comment on or make changes to this bug.