Bug 790556 - SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734.
Summary: SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on th...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a087e8b9309d3c30a0b197960c3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-14 20:25 UTC by Nicolas Mailhot
Modified: 2012-02-14 22:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-14 22:08:01 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Mailhot 2012-02-14 20:25:34 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc3.git5.1.fc17.x86_64
reason:         SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734.
time:           mar. 14 févr. 2012 21:21:59 CET

description:
:SELinux is preventing /usr/libexec/postfix/smtpd from 'create' accesses on the fichier 479544.2734.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that smtpd should be allowed create access on the 479544.2734 file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep smtpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:postfix_smtpd_t:s0
:Target Context                system_u:object_r:postfix_spool_t:s0
:Target Objects                479544.2734 [ file ]
:Source                        smtpd
:Source Path                   /usr/libexec/postfix/smtpd
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           postfix-2.9.0-2.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-87.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-0.rc3.git5.1.fc17.x86_64 #1
:                              SMP Tue Feb 14 14:58:54 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    mar. 14 févr. 2012 20:17:36 CET
:Last Seen                     mar. 14 févr. 2012 20:30:01 CET
:Local ID                      1b3aa39f-69cf-4cf0-8b6f-c5c515bf2069
:
:Raw Audit Messages
:type=AVC msg=audit(1329247801.479:11765): avc:  denied  { create } for  pid=2734 comm="smtpd" name="479544.2734" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1329247801.479:11765): arch=x86_64 syscall=open success=yes exit=EXDEV a0=7f9680f5b1e0 a1=c2 a2=0 a3=0 items=0 ppid=978 pid=2734 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
:
:Hash: smtpd,postfix_smtpd_t,postfix_spool_t,file,create
:
:audit2allow
:
:#============= postfix_smtpd_t ==============
:allow postfix_smtpd_t postfix_spool_t:file create;
:
:audit2allow -R
:
:#============= postfix_smtpd_t ==============
:allow postfix_smtpd_t postfix_spool_t:file create;
:
Comment 1 Daniel Walsh 2012-02-14 20:42:44 UTC 
Never seen it create content in this directory before.  Nicholas did you intend to go to F18?  

Is postfix smtpd supposed to create content in /var/spool/postfix

Or is your subdirs mislabed.

restorecon -R -v /var/spool
Comment 2 Nicolas Mailhot 2012-02-14 21:33:45 UTC 
(In reply to comment #1)
> Never seen it create content in this directory before.  Nicholas did you intend
> to go to F18?  

I just stick to rawhide that's where testing is most useful I think

> Is postfix smtpd supposed to create content in /var/spool/postfix
> 
> Or is your subdirs mislabed.
> 
> restorecon -R -v /var/spool

I certainly hope that if postfix smtpd writes files somewhere, that's in /var/spool/postfix (its spool dir)

That may be a side effect of the 
smtpd_proxy_options=speed_adjust

I've enabled yesterday while looking at amavisd/clamav interactions

It's described in postfix docs as requiring the write of a temporary file in
http://www.postfix.org/postconf.5.html#smtpd_proxy_options :

> NOTE 2: This feature increases the minimum amount of free queue space by
> $message_size_limit. The extra space is needed to save the message to a
> temporary file.
Comment 3 Nicolas Mailhot 2012-02-14 21:57:49 UTC 
looking at postfix error messages before I switched to permissive mode I see errors like:

postfix/smtpd[2078]: warning: mail_queue_enter: create file incoming/95444.2078: Permission denied

so it does not create those files just anywhere in /var/spool/postfix, but only in /var/spool/postfix/incoming
Comment 4 Daniel Walsh 2012-02-14 22:08:01 UTC 
Ok currently the policy allows reading/writing but not creating. I have no idea why not.

Fixed in selinux-policy-3.10.0-89.fc17.noarch

And Rawhide slows to a crawl after we branch.  I think it would be better to test in F17 with updates-testing turned on until we ship beta.

Most developers are working on F17 now and packages that get updated do not show up in F18 until they are released to F17 updates.
Note You need to log in before you can comment on or make changes to this bug.