Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 890647 - SELinux don't allow postqueue to run under sysadm_t
SELinux don't allow postqueue to run under sysadm_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-28 08:01 EST by Filip Bartmann
Modified: 2013-11-21 05:12 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-223.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:12:07 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 16:39:24 EST

  None (edit)
Description Filip Bartmann 2012-12-28 08:01:43 EST 
Description of problem:
SELinux don't allow postqueue to run under sysadm_t


How reproducible:
Run postqueue -p with selinux in enforced mode with sysadmin_t user type.

 
Actual results:
postqueue -p
postqueue: fatal: Connect to the Postfix showq service: Permission denied

and audit2allow show:

allow sysadm_t postfix_master_t:unix_stream_socket connectto;
allow sysadm_t postfix_public_t:sock_file write;

Expected results:
Show postqueue results

Additional info:
When I add this macro:
domtrans_pattern(sysadm_t, postfix_postqueue_exec_t, postfix_postqueue_t)
then all start working fine.
Comment 2 Miroslav Grepl 2012-12-30 16:52:27 EST 
Dan added fixes to Fedora which need to be backported. Thank you for using confined users.
Comment 6 Miroslav Grepl 2013-10-15 08:58:27 EDT 
#============= sysadm_t ==============

#!!!! This avc is allowed in the current policy
allow sysadm_t postfix_master_t:unix_stream_socket connectto;
Comment 9 errata-xmlrpc 2013-11-21 05:12:07 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.