Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 892024 - SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access on the directory /var/tmp
SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access o...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-04 16:16 EST by William Lovaton
Modified: 2014-09-30 19:34 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:14:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 16:39:24 EST

  None (edit)
Description William Lovaton 2013-01-04 16:16:26 EST 
Description of problem:
I'm configuring a new postfix/dovecot mail system with RHEL 6.3 and I'm getting lots of this in audit.log:

type=AVC msg=audit(1357330688.836:164439): avc:  denied  { read } for  pid=30265 comm="trivial-rewrite" name="tmp" dev=dm-6 ino=32769 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1357330688.836:164439): arch=c000003e syscall=2 success=no exit=-13 a0=7f4cd2ec717c a1=0 a2=1b6 a3=0 items=0 ppid=25523 pid=30265 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=18244 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)


Version-Release number of selected component (if applicable):
* Red Hat Enterprise Linux Server release 6.3 (Santiago)
* selinux-policy-3.7.19-154.el6.noarch
* postfix-2.6.6-2.2.el6_1.x86_64
* kernel-2.6.32-279.el6.x86_64
* glibc-2.12-1.80.el6.x86_64


This error shows every time I send mail to an account on this server and the AVCs happens 3 times per delivery.  Creating the following local policy module solves the problem:

module postfix-trivial-mypol 1.0;

require {
	type tmp_t;
	type postfix_master_t;
	class dir read;
}

allow postfix_master_t tmp_t:dir read;


Thanks a lot for your help.
Comment 2 Daniel Walsh 2013-01-06 09:01:33 EST 
This avc indicates postfix is listing the /tmp directory? Any idea why?
Comment 3 Miroslav Grepl 2013-01-07 05:38:29 EST 
Also did you need to add the local policy to make this working?
Comment 4 William Lovaton 2013-01-08 08:20:43 EST 
No, users get the messages despite de AVCs so it was working fine.  I just created the policy to shut up the error messages and to avoid the log filling up the partition.

I can send you a diff of the postfix configuration compared to the original in the RPMs if you want:

[nalwalovaton@CDPLIN11 selinux]$ rpm -V postfix
S.5....T.  c /etc/postfix/header_checks
S.5....T.  c /etc/postfix/main.cf
S.5....T.  c /etc/postfix/master.cf
S.5....T.  c /etc/postfix/transport
Comment 5 Daniel Walsh 2013-01-08 09:28:41 EST 
Any chance you are using kerberos?
Comment 6 William Lovaton 2013-01-08 09:40:09 EST 
Mmmm... I'm using SASL authentication through Dovecot and Dovecot itself authenticates against Active Directory and a custom MySQL Database.
Comment 7 Daniel Walsh 2013-01-08 10:35:12 EST 
I have no problem allowing it to list, but I am not sure what it is looking for.
Comment 8 Daniel Walsh 2013-01-08 10:35:55 EST 
Nalin would you have any idea what is going on?
Comment 9 RHEL Product and Program Management 2013-01-12 01:47:20 EST 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 13 errata-xmlrpc 2013-11-21 05:14:51 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.