Bug 755750 - Postfix SASLauthd AVC denied read access /tmp whilst sending email
Summary: Postfix SASLauthd AVC denied read access /tmp whilst sending email
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 16
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-21 23:09 UTC by Jeroen Roodhart
Modified: 2013-02-13 18:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-13 18:49:29 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jeroen Roodhart 2011-11-21 23:09:50 UTC 
Description of problem:

Whilst sending email through Postfix SMTP/SASL I get the following error:

Nov 21 23:40:21 knuth kernel: [116778.802943] type=1400 audit(1321915221.606:719): avc:  denied  { read } for  pid=28970 comm="saslauthd" name="smtp.postfix" dev=sda2 ino=677098 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
Nov 21 23:40:21 knuth saslauthd[28970]: do_auth         : auth failure: [user=jeroen] [service=smtp] [realm=] [remote=] [mech=pam] [reason=PAM auth error]
Nov 21 23:40:21 knuth saslauthd[28970]: do_auth         : auth failure: [user=jeroen] [service=smtp] [realm=] [remote=] [mech=pam] [reason=PAM auth error]
Nov 21 23:40:21 knuth kernel: [116779.070450] type=1400 audit(1321915221.874:720): avc:  denied  { read } for  pid=28970 comm="saslauthd" name="smtp.postfix" dev=sda2 ino=677098 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
Nov 21 23:40:29 knuth kernel: [116786.545025] type=1400 audit(1321915229.348:721): avc:  denied  { read } for  pid=28971 comm="saslauthd" name="smtp.postfix" dev=sda2 ino=677098 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
Nov 21 23:40:29 knuth kernel: [116786.780978] type=1400 audit(1321915229.584:722): avc:  denied  { read } for  pid=28971 comm="saslauthd" name="smtp.postfix" dev=sda2 ino=677098 scontext=system_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
Nov 21 23:40:29 knuth saslauthd[28971]: do_auth         : auth failure: [user=jeroen] [service=smtp] [realm=] [remote=] [mech=pam] [reason=PAM auth error]

Version-Release number of selected component (if applicable):

Linux knuth.tuxwielder.nl 3.1.1-2.fc16.x86_64 #1 SMP Mon Nov 14 15:46:10 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

Fedora release 16 (Verne) (preupgraded from F14)

Name        : postfix
Epoch       : 2
Version     : 2.8.5
Release     : 1.fc16
Architecture: x86_64

Name        : cyrus-sasl
Version     : 2.1.23
Release     : 25.fc16
Architecture: x86_64

Name        : selinux-policy-targeted
Version     : 3.10.0
Release     : 56.fc16
Architecture: noarch


How reproducible:

When sending email through Postfix SMTP, always.

Steps to Reproduce:
1. Setup Postfix/SASLauthd MECH=pam
2. Send email

  
Actual results:

AVC denied errors en sending of email fails

Expected results:

Email should be accepted and sent

Additional info:

If I disable selinux (setenforce 0), send succeeds
Comment 1 Miroslav Grepl 2011-11-23 07:59:55 UTC 
Could you execute

# semanage permissive -a saslauthd_t

re-test it and

# ausearch -m avc -ts recent
Comment 2 Jeroen Roodhart 2011-11-23 09:50:07 UTC 
# semanage permissive -a saslauthd_t

That works :)


[root@knuth jeroen]# ausearch -m avc -ts recent
<no matches>

(Same result after a 'semanage permissive -d saslauthd_t')

With kind regards,

Jeroen
Comment 3 Daniel Walsh 2011-11-23 17:00:12 UTC 
Why was smtp.postfix created as tmp_t?  What process created it? Why does saslauthd need to read it?
Comment 4 Fedora End Of Life 2013-01-16 15:41:55 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Fedora End Of Life 2013-02-13 18:49:33 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.