Description of problem: selinux-policy-targeted-3.10.0 is missing correct fcontext for /dev Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-75 selinux-policy-targeted-3.10.0 How reproducible: Anytime postfix logs to /dev/log Steps to Reproduce: 1. Install postfix with chroot enabled 2. Create /var/spool/postfix/dev/log socket via rsyslog config 2. Enable selinux 3. Attempt any postfix functions that require syslog Additional info: Present in /etc/selinux/targeted/contexts/files/file_contexts /dev/log -s system_u:object_r:devlog_t:s0 Missing in /etc/selinux/targeted/contexts/files/file_contexts.subs /var/spool/postfix/dev /dev
This needs to be fixed in the policy. commit 8683310d35496b28051affa3ea55b87df4709da3 Author: Miroslav Grepl <mgrepl> Date: Mon Mar 5 12:08:34 2012 +0000 Add labeling for /var/spool/postfix/dev/log * support postfix chroot
selinux-policy-3.10.0-80.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16
Tried the new policy. A few problems. 1) rsyslog doesn't appear to create the log file with the correct context: # ls -lZ /var/spool/postfix/dev: srw-rw-rw-. root root system_u:object_r:var_log_t:s0 log This appears to be related to these entries in /etc/selinux/targeted/contexts/files/file_contexts: /var/spool/postfix/dev -d system_u:object_r:var_log_t:s0 /var/spool/postfix/dev/log -s system_u:object_r:devlog_t:s0 If, after starting rsyslog, I run restorecon on /var/spool/postfix/dev, the log file is marked devlog_t as expected. If I mark /var/spool/postfix/dev as device_t, and restart rsyslog, dev/log is created as devlog_t as expected. Is there a reason why the /var/spool/postfix/dev directory wasn't marked as device_t? 2) because /var/spool/postfix/dev is var_log_t, I need to add rules to give rsyslog the ability to create sockets in that directory type (not required if it's device_t, and probably not a good thing to require): allow syslogd_t var_log_t:sock_file { create setattr unlink }; 3) Regardless of (2), I also need to add the following so that rsyslog can find the /var/spool/postfix/dev directory: allow syslogd_t postfix_spool_t:dir search;
No, this is copy/paste issue. I need to fix it.
Package selinux-policy-3.10.0-80.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-80.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 then log in and leave karma (feedback).
The package listed above is still the same package referenced in comment #2, which has the problems listed in comment #3. I don't want to ruin the karma of the release with a down-vote, but it clearly doesn't fix this bug...
Yes, it does not.
selinux-policy-3.10.0-80.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Not sure why this was closed, as mentioned above, the bug is NOT fixed in 3.10.0-80
I did not remove it from the update in bodhi.
Any update on this bug?
commit 41088c95d3a99d6e85fcd77ce250ebfdfe4ae9c4 Author: Miroslav Grepl <mgrepl> Date: Mon Apr 16 10:32:24 2012 +0000 Allow syslogd to search postfix spool to support postfix with chroot enabled commit 642f67bc0b272dd2d56fcf7c40bea8f1fc866f5b Author: Miroslav Grepl <mgrepl> Date: Mon Apr 16 10:30:02 2012 +0000 Fix labeling for /var/spool/postfix/dev ---- This is going to be fixed in selinux-policy-3.10.0-84.fc16.
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 fixes the problem. Both postfix and rsyslog both work as expected. Thanks!
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.