Bug 892024 - SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access on the directory /var/tmp
Summary: SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access o...
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.3
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
Depends On:
TreeView+ depends on / blocked
Reported: 2013-01-04 21:16 UTC by William Lovaton
Modified: 2014-09-30 23:34 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-11-21 10:14:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description William Lovaton 2013-01-04 21:16:26 UTC
Description of problem:
I'm configuring a new postfix/dovecot mail system with RHEL 6.3 and I'm getting lots of this in audit.log:

type=AVC msg=audit(1357330688.836:164439): avc:  denied  { read } for  pid=30265 comm="trivial-rewrite" name="tmp" dev=dm-6 ino=32769 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1357330688.836:164439): arch=c000003e syscall=2 success=no exit=-13 a0=7f4cd2ec717c a1=0 a2=1b6 a3=0 items=0 ppid=25523 pid=30265 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=18244 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)

Version-Release number of selected component (if applicable):
* Red Hat Enterprise Linux Server release 6.3 (Santiago)
* selinux-policy-3.7.19-154.el6.noarch
* postfix-2.6.6-2.2.el6_1.x86_64
* kernel-2.6.32-279.el6.x86_64
* glibc-2.12-1.80.el6.x86_64

This error shows every time I send mail to an account on this server and the AVCs happens 3 times per delivery.  Creating the following local policy module solves the problem:

module postfix-trivial-mypol 1.0;

require {
	type tmp_t;
	type postfix_master_t;
	class dir read;

allow postfix_master_t tmp_t:dir read;

Thanks a lot for your help.

Comment 2 Daniel Walsh 2013-01-06 14:01:33 UTC
This avc indicates postfix is listing the /tmp directory? Any idea why?

Comment 3 Miroslav Grepl 2013-01-07 10:38:29 UTC
Also did you need to add the local policy to make this working?

Comment 4 William Lovaton 2013-01-08 13:20:43 UTC
No, users get the messages despite de AVCs so it was working fine.  I just created the policy to shut up the error messages and to avoid the log filling up the partition.

I can send you a diff of the postfix configuration compared to the original in the RPMs if you want:

[nalwalovaton@CDPLIN11 selinux]$ rpm -V postfix
S.5....T.  c /etc/postfix/header_checks
S.5....T.  c /etc/postfix/main.cf
S.5....T.  c /etc/postfix/master.cf
S.5....T.  c /etc/postfix/transport

Comment 5 Daniel Walsh 2013-01-08 14:28:41 UTC
Any chance you are using kerberos?

Comment 6 William Lovaton 2013-01-08 14:40:09 UTC
Mmmm... I'm using SASL authentication through Dovecot and Dovecot itself authenticates against Active Directory and a custom MySQL Database.

Comment 7 Daniel Walsh 2013-01-08 15:35:12 UTC
I have no problem allowing it to list, but I am not sure what it is looking for.

Comment 8 Daniel Walsh 2013-01-08 15:35:55 UTC
Nalin would you have any idea what is going on?

Comment 9 RHEL Program Management 2013-01-12 06:47:20 UTC
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 13 errata-xmlrpc 2013-11-21 10:14:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.