Description of problem: SELinux is reporting denied pipe read/write when executing sendmail.postfix Version-Release number of selected component (if applicable): selinux-policy-3.10.0-134 How reproducible: Always Steps to Reproduce: 1. Setup postfix mailbox_command=/usr/libexec/dovecot/dovecot-lda 2. Setup a .forward (or sieve command) so dovecot-lda calls /usr/sbin/sendmail (which is really sendmail.postfix) 3. When sendmail.postfix is started, it causes AVC denials for fifo_file { read write } Actual results: Audit messages are created: type=AVC msg=audit(1342048249.782:73306): avc: denied { write } for pid=8356 comm="sendmail" path="pipe:[815212\ ]" dev="pipefs" ino=815212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \ tclass=fifo_file type=AVC msg=audit(1342048249.782:73306): avc: denied { read } for pid=8356 comm="sendmail" path="pipe:[815212]\ " dev="pipefs" ino=815212 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 t\ class=fifo_file type=AVC msg=audit(1342048249.782:73306): avc: denied { write } for pid=8356 comm="sendmail" path="pipe:[815215\ ]" dev="pipefs" ino=815215 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \ tclass=fifo_file type=AVC msg=audit(1342048249.782:73306): avc: denied { write } for pid=8356 comm="sendmail" path="pipe:[815215\ ]" dev="pipefs" ino=815215 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 \ tclass=fifo_file Expected results: No denials are logged. Additional info: Running strace -f on postfix's master process, it doesn't appear that sendmail.postfix actually reads or writes directly to the pipe. I'm not sure if the pipe:[815212] inos actually correspond to the entries I see in the strace output, but if they do, this are probably just pipes leaking through from the parent [815215] and grandparent [815212] processes, and are probably not intended to remain open (ie leaks). Since sendmail.postfix appears to function as intended without the permissions, it's probably ok to just "dontaudit" the denials, eg: dontaudit sendmail_t postfix_local_t:fifo_file { write read };
Added +allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_ to Rawhide to allow all mail apps to use inherited fifo files.
Added to F17.
Tested with selinux-policy-3.10.0-140: type=AVC msg=audit(1343362745.333:30288): avc: denied { write } for pid=1841 comm="sendmail" path="pipe:[1271669]" dev="pipefs" ino=1271669 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file ... still logged.
Try the lastest build from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=343797
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Installed and tried selinux-policy-3.10.0-142, but still getting the same denial -- audit2why -b: type=AVC msg=audit(1343412672.784:91): avc: denied { write } for pid=2031 comm="sendmail" path="pipe:[20651]" dev="pipefs" ino=20651 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file type=AVC msg=audit(1343412672.784:91): avc: denied { read } for pid=2031 comm="sendmail" path="pipe:[20651]" dev="pipefs" ino=20651 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:system_r:postfix_local_t:s0 tclass=fifo_file
Package selinux-policy-3.10.0-142.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17 then log in and leave karma (feedback).
Ah, you are right. I found a bug.
Fixed in selinux-policy-3.10.0-143
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Re-opening since -142 did not include the fix
(In reply to comment #9) > Fixed in selinux-policy-3.10.0-143
Yes, but -143 seems to have a build error related to spamassassin... might want to investigate that.
Fixed.
Installed -143, still exactly the same errors logged (ref comment#6)
Ah, I meant fixed in -144 which is now built.
selinux-policy-3.10.0-145.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-145.fc17
Funny, -145 still hasn't shown up in the updates-testing cache (yum reports using mirror.web-ster.com) -- even if I nuke the cache, the package file is still dated Aug 5th... are the mirrors having problems?
Package selinux-policy-3.10.0-145.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-145.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-11591/selinux-policy-3.10.0-145.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-145.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Finally had a chance to test this, and yes, it's fixed in -145 :)