Bug 799818 - SELinux policy missing postfix /dev/log fcontext in chroot
SELinux policy missing postfix /dev/log fcontext in chroot
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
16
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-05 01:31 EST by Scott Shambarger
Modified: 2012-04-21 23:35 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-84.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-04-21 23:35:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scott Shambarger 2012-03-05 01:31:25 EST
Description of problem:
selinux-policy-targeted-3.10.0 is missing correct fcontext for /dev

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-75
selinux-policy-targeted-3.10.0

How reproducible:
Anytime postfix logs to /dev/log

Steps to Reproduce:
1. Install postfix with chroot enabled
2. Create /var/spool/postfix/dev/log socket via rsyslog config
2. Enable selinux
3. Attempt any postfix functions that require syslog

Additional info:

Present in /etc/selinux/targeted/contexts/files/file_contexts
/dev/log        -s      system_u:object_r:devlog_t:s0

Missing in /etc/selinux/targeted/contexts/files/file_contexts.subs
/var/spool/postfix/dev /dev
Comment 1 Miroslav Grepl 2012-03-05 05:09:33 EST
This needs to be fixed in the policy.


commit 8683310d35496b28051affa3ea55b87df4709da3
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Mar 5 12:08:34 2012 +0000

    Add labeling for /var/spool/postfix/dev/log
        * support postfix chroot
Comment 2 Fedora Update System 2012-03-13 08:25:19 EDT
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Comment 3 Scott Shambarger 2012-03-13 09:29:06 EDT
Tried the new policy.  A few problems.

1) rsyslog doesn't appear to create the log file with the correct context:

# ls -lZ /var/spool/postfix/dev:
srw-rw-rw-. root root system_u:object_r:var_log_t:s0   log

This appears to be related to these entries in /etc/selinux/targeted/contexts/files/file_contexts:

/var/spool/postfix/dev  -d      system_u:object_r:var_log_t:s0
/var/spool/postfix/dev/log      -s      system_u:object_r:devlog_t:s0

If, after starting rsyslog, I run restorecon on /var/spool/postfix/dev, the log file is marked devlog_t as expected.

If I mark /var/spool/postfix/dev as device_t, and restart rsyslog, dev/log is created as devlog_t as expected.

Is there a reason why the /var/spool/postfix/dev directory wasn't marked as device_t?

2) because /var/spool/postfix/dev is var_log_t, I need to add rules to give rsyslog the ability to create sockets in that directory type (not required if it's device_t, and probably not a good thing to require):

allow syslogd_t var_log_t:sock_file { create setattr unlink };

3) Regardless of (2), I also need to add the following so that rsyslog can find the /var/spool/postfix/dev directory:

allow syslogd_t postfix_spool_t:dir search;
Comment 4 Miroslav Grepl 2012-03-13 09:38:58 EDT
No, this is copy/paste issue. I need to fix it.
Comment 5 Fedora Update System 2012-03-20 22:24:23 EDT
Package selinux-policy-3.10.0-80.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
then log in and leave karma (feedback).
Comment 6 Scott Shambarger 2012-03-21 00:26:36 EDT
The package listed above is still the same package referenced in comment #2, which has the problems listed in comment #3.  I don't want to ruin the karma of the release with a down-vote, but it clearly doesn't fix this bug...
Comment 7 Miroslav Grepl 2012-03-21 03:32:16 EDT
Yes, it does not.
Comment 8 Fedora Update System 2012-03-23 20:36:32 EDT
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Scott Shambarger 2012-03-23 22:54:59 EDT
Not sure why this was closed, as mentioned above, the bug is NOT fixed in 3.10.0-80
Comment 10 Miroslav Grepl 2012-03-26 05:55:17 EDT
I did not remove it from the update in bodhi.
Comment 11 Scott Shambarger 2012-04-15 01:21:41 EDT
Any update on this bug?
Comment 12 Miroslav Grepl 2012-04-16 04:34:25 EDT
commit 41088c95d3a99d6e85fcd77ce250ebfdfe4ae9c4
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Apr 16 10:32:24 2012 +0000

    Allow syslogd to search postfix spool to support postfix with chroot enabled

commit 642f67bc0b272dd2d56fcf7c40bea8f1fc866f5b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Apr 16 10:30:02 2012 +0000

    Fix labeling for /var/spool/postfix/dev


----

This is going to be fixed in selinux-policy-3.10.0-84.fc16.
Comment 13 Fedora Update System 2012-04-18 08:53:05 EDT
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
Comment 14 Scott Shambarger 2012-04-18 16:38:27 EDT
selinux-policy-3.10.0-84.fc16 fixes the problem.  Both postfix and rsyslog both work as expected.  Thanks!
Comment 15 Fedora Update System 2012-04-21 23:35:15 EDT
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.