769819 – selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 769819 - selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix

Summary: selinux-policy-targeted-3.7.19-126.el6_2.4.noarch breaks postfix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-22 11:40 UTC by Jarno Huuskonen
Modified:	2012-10-15 14:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-135.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 12:30:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Jarno Huuskonen 2011-12-22 11:40:50 UTC

Description of problem:
After updating from selinux-policy-targeted-3.7.19-93.el6_1.7.noarch
to selinux-policy-targeted-3.7.19-126.el6_2.4.noarch
postfix mail delievery fails.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-126.el6_2.4
selinux-policy-targeted-3.7.19-126.el6_2.4

How reproducible:
After downgrading to selinux-policy-targeted-3.7.19-93.el6_1.7 didn't
want to try second time.

Steps to Reproduce:
1. queue some mail in postfix queues
2. update selinux-policy and selinux-policy-targeted
3. try to resend the queued messages: postfix -i <QUEUEID>
  
Actual results:
selinux denied messages in audit logs:
type=AVC msg=audit(1324550512.761:2656736): avc:  denied  { getattr } for  pid=9241 comm="lmtp" path="/var/spool/postfix/active/3042626BE" dev=dm-3 ino=9918 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1324550512.763:2656737): avc:  denied  { read write } for  pid=9241 comm="lmtp" name="3042626BE" dev=dm-3 ino=9918 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1324550513.040:2656756): avc:  denied  { getattr } for  pid=9254 comm="smtp" path="/var/spool/postfix/active/625E4C37" dev=dm-3 ino=3127 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1324550513.779:2656758): avc:  denied  { read write } for  pid=9259 comm="error" name="3B9BD4144" dev=dm-3 ino=16708 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1324550513.789:2656759): avc:  denied  { read write } for  pid=9260 comm="error" name="334D8417E" dev=dm-3 ino=16766 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1324550513.801:2656760): avc:  denied  { read write } for  pid=9261 comm="error" name="316713231" dev=dm-3 ino=12849 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

Expected results:
Selinux-policy shouldn't break postfix mailflow.

Additional info:

Comment 2 Jarno Huuskonen 2011-12-22 13:44:53 UTC

I think somethings wrong with /var/spool/postfix/{defer,deferred} contexts:

Fresh install of RH6.2(selinux-policy-3.7.19-126.el6_2.4.noarch)
drwx------. postfix root system_u:object_r:postfix_spool_maildrop_t:s0 defer/
drwx------. postfix root system_u:object_r:postfix_spool_maildrop_t:s0 deferred/

Working postfix RH6.1 (selinux-policy-3.7.19-93.el6_1.7.noarch)):
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 defer/
drwx------. postfix root system_u:object_r:postfix_spool_t:s0 deferred/

And if I: grep postfix /etc/selinux/targeted/contexts/files/file_contexts
and diff the output from those two machines:
@@ -9,14 +9,17 @@
 /var/spool/postfix/lib(64)?(/.*)?       system_u:object_r:lib_t:s0
 /var/spool/postfix/lib(64)?/ld.*\.so.*  --      system_u:object_r:ld_so_t:s0
 /var/spool/postfix/pid/.*       system_u:object_r:postfix_var_run_t:s0
+/var/spool/postfix/defer(/.*)?  system_u:object_r:postfix_spool_maildrop_t:s0
 /var/spool/postfix/flush(/.*)?  system_u:object_r:postfix_spool_flush_t:s0
 /var/spool/postfix/public(/.*)? system_u:object_r:postfix_public_t:s0
 /var/spool/postfix/bounce(/.*)? system_u:object_r:postfix_spool_bounce_t:s0
 /var/spool/postfix/private(/.*)?        system_u:object_r:postfix_private_t:s0
 /etc/postfix/postfix-script.*   --      system_u:object_r:postfix_exec_t:s0
+/var/spool/postfix/deferred(/.*)?       system_u:object_r:postfix_spool_maildrop_t:s0
 /var/spool/postfix/maildrop(/.*)?       system_u:object_r:postfix_spool_maildrop_t:s0
 /var/spool/postfix/postgrey(/.*)?       system_u:object_r:postgrey_spool_t:s0
 /usr/share/munin/plugins/postfix_mail.* --      system_u:object_r:munin_mail_plugin_exec_t:s0
+/usr/sbin/postcat       --      system_u:object_r:postfix_master_exec_t:s0
 /usr/sbin/postfix       --      system_u:object_r:postfix_master_exec_t:s0
 /usr/sbin/postlog       --      system_u:object_r:postfix_master_exec_t:s0
 /usr/sbin/postmap       --      system_u:object_r:postfix_map_exec_t:s0

Comment 4 Miroslav Grepl 2011-12-22 14:58:48 UTC

This label was introduced in RHEL6.2.

Jarno,
could you execute

# semanage permissive -a postfix_smtp_t
# semanage permissive -a postfix_master_t

which will make these domains as permissive and it won't break anything. And your system will be in enforcing mode.

Comment 5 Jarno Huuskonen 2011-12-29 08:59:57 UTC

(In reply to comment #4)
> could you execute
> 
> # semanage permissive -a postfix_smtp_t
> # semanage permissive -a postfix_master_t

I can do that, but I relabeled defer/deferred back to postfix_spool_t and that
seems to work for now.

Also I tested this on a fresh 6.2 install:
1. disable outgoing port 25 connections with iptables
2. try to send email
3. postfix creates a file in /var/spool/postfix/deferred/0/04DD11ECE
   (-rwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 04DD11ECE)
(the directory is system_u:object_r:postfix_spool_maildrop_t:s0).
4. if I reenable outgoing connections -> the message is sent out just fine.

BUT if something relabels the 04DD11ECE to postfix_spool_maildrop_t (selinux policy updates? or manual restorecon -R -v) then:

type=AVC msg=audit(1325149007.615:19577): avc:  denied  { getattr } for  pid=6734 comm="smtp" path="/var/spool/postfix/active/04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1325149007.616:19578): avc:  denied  { read write } for  pid=6734 comm="smtp" name="04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

type=AVC msg=audit(1325149008.630:19579): avc:  denied  { read write } for  pid=6735 comm="error" name="04DD11ECE" dev=dm-6 ino=7886 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file

Comment 6 Philip Prindeville 2012-01-12 02:28:41 UTC

I'm also seeing similar problems:

----
time->Wed Jan 11 13:53:12 2012
type=SYSCALL msg=audit(1326318792.799:1335): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318792.799:1335): avc:  denied  { search } for  pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:53:39 2012
type=SYSCALL msg=audit(1326318819.347:1336): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318819.347:1336): avc:  denied  { search } for  pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:54:57 2012
type=SYSCALL msg=audit(1326318897.767:1337): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318897.767:1337): avc:  denied  { search } for  pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:55:36 2012
type=SYSCALL msg=audit(1326318936.809:1338): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318936.809:1338): avc:  denied  { search } for  pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 13:56:21 2012
type=SYSCALL msg=audit(1326318981.987:1339): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffac4d6ba0 a2=6e a3=fffffffffffffff0 items=0 ppid=1721 pid=7377 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326318981.987:1339): avc:  denied  { search } for  pid=7377 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 14:33:59 2012
type=SYSCALL msg=audit(1326321239.263:1381): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fffb4a44120 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7585 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326321239.263:1381): avc:  denied  { search } for  pid=7585 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:18:29 2012
type=SYSCALL msg=audit(1326323909.822:1432): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326323909.822:1432): avc:  denied  { search } for  pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:19:29 2012
type=SYSCALL msg=audit(1326323969.708:1433): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326323969.708:1433): avc:  denied  { search } for  pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:20:19 2012
type=SYSCALL msg=audit(1326324019.664:1453): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324019.664:1453): avc:  denied  { search } for  pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:20:31 2012
type=SYSCALL msg=audit(1326324031.372:1457): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff8061d4e0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7674 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324031.372:1457): avc:  denied  { search } for  pid=7674 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:24:26 2012
type=SYSCALL msg=audit(1326324266.216:1458): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fff20b90cd0 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7733 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324266.216:1458): avc:  denied  { search } for  pid=7733 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:28:34 2012
type=SYSCALL msg=audit(1326324514.148:1461): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=34d2ab0 a2=6e a3=7fff680bce80 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324514.148:1461): avc:  denied  { connectto } for  pid=7444 comm="mimedefang.pl" path="/var/run/clamav/clamd.sock" scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326324514.148:1461): avc:  denied  { write } for  pid=7444 comm="mimedefang.pl" name="clamd.sock" dev=dm-0 ino=2232540 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326324514.148:1461): avc:  denied  { search } for  pid=7444 comm="mimedefang.pl" name="clamav" dev=dm-0 ino=2232121 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:28:33 2012
type=SYSCALL msg=audit(1326324513.582:1460): arch=c000003e syscall=42 success=yes exit=0 a0=e a1=7fffd5ce7b90 a2=6e a3=fffffffffffffff0 items=0 ppid=7556 pid=7767 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326324513.582:1460): avc:  denied  { connectto } for  pid=7767 comm="smtpd" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:spamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326324513.582:1460): avc:  denied  { write } for  pid=7767 comm="smtpd" name="mimedefang.sock" dev=dm-0 ino=2233041 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:spamd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326324513.582:1460): avc:  denied  { search } for  pid=7767 comm="smtpd" name="MIMEDefang" dev=dm-0 ino=2232221 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:spamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:29:43 2012
type=SYSCALL msg=audit(1326324583.403:1462): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0d8 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324583.403:1462): avc:  denied  { connectto } for  pid=7444 comm="mimedefang.pl" path="/var/run/clamav/clamd.sock" scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=unix_stream_socket
----
time->Wed Jan 11 15:34:01 2012
type=SYSCALL msg=audit(1326324841.053:1472): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0e0 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326324841.053:1472): avc:  denied  { write } for  pid=7444 comm="mimedefang.pl" name="clamd.sock" dev=dm-0 ino=2232540 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 15:37:58 2012
type=SYSCALL msg=audit(1326325078.976:1491): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=34d2ab0 a2=6e a3=3f1a0d8 items=0 ppid=7442 pid=7444 auid=502 uid=496 gid=494 euid=496 suid=496 fsuid=496 egid=494 sgid=494 fsgid=494 tty=(none) ses=47 comm="mimedefang.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spamd_t:s0 key=(null)
type=AVC msg=audit(1326325078.976:1491): avc:  denied  { search } for  pid=7444 comm="mimedefang.pl" name="clamav" dev=dm-0 ino=2232121 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:clamd_var_run_t:s0 tclass=dir
----
time->Wed Jan 11 15:37:58 2012
type=SYSCALL msg=audit(1326325078.802:1490): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7ffff86225d0 a2=6e a3=7ffff86222f0 items=0 ppid=7556 pid=8093 auid=502 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=47 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=unconfined_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1326325078.802:1490): avc:  denied  { connectto } for  pid=8093 comm="smtpd" path="/var/spool/MIMEDefang/mimedefang.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:spamd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1326325078.802:1490): avc:  denied  { write } for  pid=8093 comm="smtpd" name="mimedefang.sock" dev=dm-0 ino=2233041 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:spamd_var_run_t:s0 tclass=sock_file


which audit2allow tells me should be:


module spamd 1.0;

require {
	type clamd_var_run_t;
	type clamd_t;
	type spamd_t;
	type postfix_smtpd_t;
	type spamd_var_run_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir search;
}

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t spamd_t:unix_stream_socket connectto;
allow postfix_smtpd_t spamd_var_run_t:dir search;
allow postfix_smtpd_t spamd_var_run_t:sock_file write;

#============= spamd_t ==============
allow spamd_t clamd_t:unix_stream_socket connectto;
allow spamd_t clamd_var_run_t:dir search;
allow spamd_t clamd_var_run_t:sock_file write;

Comment 7 Miroslav Grepl 2012-01-25 16:58:12 UTC

Fixed in selinux-policy-3.7.19-135.el6

Comment 11 Philip Prindeville 2012-01-27 17:45:57 UTC

(In reply to comment #7)
> Fixed in selinux-policy-3.7.19-135.el6

Where's the koji build?

Comment 12 Daniel Walsh 2012-01-27 21:52:52 UTC

We don't build RHEL in koji.

http://people.redhat.com/dwalsh/SELinux/RHEL6

Will contain the latest packages for SELinux on RHEL.

Comment 15 errata-xmlrpc 2012-06-20 12:30:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.