Description of problem: Latest SELinux update prevents postfix_qmgr_t to access postfix_spool_maildrop_t. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Update SELinux to version selinux-policy-strict-2.4.6-329.el5.noarch 2. Try to use postfix 3. Actual results: # scontext="root:system_r:postfix_qmgr_t:s0-s0:c0.c1023" tcontext="system_u:object_r:postfix_spool_maildrop_t:s0" # class="file" perms="getattr" # comm="qmgr" exe="" path="" # message="type=AVC msg=audit(1342608283.225:400920): avc: denied { getattr } # for pid=32317 comm="qmgr" path="/var/spool/postfix/deferred/0/05E493D8108" # dev=vda1 ino=4030728 scontext=root:system_r:postfix_qmgr_t:s0-s0:c0.c1023 # tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file" allow postfix_qmgr_t postfix_spool_maildrop_t:file { rename write getattr setattr read lock unlink }; # scontext="root:system_r:postfix_qmgr_t:s0-s0:c0.c1023" tcontext="system_u:object_r:postfix_spool_maildrop_t:s0" # class="dir" perms="search" # comm="qmgr" exe="" path="" # message="type=AVC msg=audit(1342608283.225:400919): avc: denied { search } # for pid=32317 comm="qmgr" name="deferred" dev=vda1 ino=4030751 # scontext=root:system_r:postfix_qmgr_t:s0-s0:c0.c1023 # tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir" allow postfix_qmgr_t postfix_spool_maildrop_t:dir { read remove_name search write add_name }; Expected results: No SELinux audit denials. Additional info:
Filip, thank you for testing.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Fixed in selinux-policy-2.4.6-330.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html