Bug 840093 - staff_u cannot send mail
staff_u cannot send mail
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
Depends On:
  Show dependency treegraph
Reported: 2012-07-13 13:03 EDT by Konstantin Ryabitsev
Modified: 2014-09-30 19:33 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-159.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:25:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVCs generated while using "mail" as staff_u (7.71 KB, text/plain)
2012-07-13 13:05 EDT, Konstantin Ryabitsev
no flags Details

  None (edit)
Description Konstantin Ryabitsev 2012-07-13 13:03:39 EDT
Looks like staff_u is not allowed to send mail on RHEL 6.3. The AVCs are only seen after "semanage dontaudit off".

It seems to want the following:

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t staff_t:unix_stream_socket { read write getattr };
#============= staff_t ==============
allow staff_t postfix_postdrop_t:process { siginh rlimitinh noatsecure };
allow staff_t postfix_spool_t:dir search;

I will attach raw AVCs.

Comment 1 Konstantin Ryabitsev 2012-07-13 13:05:24 EDT
Created attachment 598118 [details]
AVCs generated while using "mail" as staff_u
Comment 2 Daniel Walsh 2012-07-13 13:14:13 EDT
   allow staff_t postfix_spool_type : dir { getattr search open } ; 

is in Fedora.
Comment 4 Konstantin Ryabitsev 2012-07-13 13:26:28 EDT
I can confirm that the following fixes the problem:

allow postfix_postdrop_t staff_t:unix_stream_socket { read write getattr };
allow staff_t postfix_spool_t:dir search;
Comment 5 Miroslav Grepl 2012-08-08 04:15:57 EDT
Fixed in selinux-policy-3.7.19-159.el6
Comment 8 errata-xmlrpc 2013-02-21 03:25:31 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.