Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 892024

Summary: SELinux is preventing /usr/libexec/postfix/trivial-rewrite from read access on the directory /var/tmp
Product: Red Hat Enterprise Linux 6 Reporter: William Lovaton <williama_lovaton>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3CC: dwalsh, ebenes, mmalik, mtruneck, nalin
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:14:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description William Lovaton 2013-01-04 21:16:26 UTC 
Description of problem:
I'm configuring a new postfix/dovecot mail system with RHEL 6.3 and I'm getting lots of this in audit.log:

type=AVC msg=audit(1357330688.836:164439): avc:  denied  { read } for  pid=30265 comm="trivial-rewrite" name="tmp" dev=dm-6 ino=32769 scontext=unconfined_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1357330688.836:164439): arch=c000003e syscall=2 success=no exit=-13 a0=7f4cd2ec717c a1=0 a2=1b6 a3=0 items=0 ppid=25523 pid=30265 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=18244 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)


Version-Release number of selected component (if applicable):
* Red Hat Enterprise Linux Server release 6.3 (Santiago)
* selinux-policy-3.7.19-154.el6.noarch
* postfix-2.6.6-2.2.el6_1.x86_64
* kernel-2.6.32-279.el6.x86_64
* glibc-2.12-1.80.el6.x86_64


This error shows every time I send mail to an account on this server and the AVCs happens 3 times per delivery.  Creating the following local policy module solves the problem:

module postfix-trivial-mypol 1.0;

require {
	type tmp_t;
	type postfix_master_t;
	class dir read;
}

allow postfix_master_t tmp_t:dir read;


Thanks a lot for your help.
Comment 2 Daniel Walsh 2013-01-06 14:01:33 UTC 
This avc indicates postfix is listing the /tmp directory? Any idea why?
Comment 3 Miroslav Grepl 2013-01-07 10:38:29 UTC 
Also did you need to add the local policy to make this working?
Comment 4 William Lovaton 2013-01-08 13:20:43 UTC 
No, users get the messages despite de AVCs so it was working fine.  I just created the policy to shut up the error messages and to avoid the log filling up the partition.

I can send you a diff of the postfix configuration compared to the original in the RPMs if you want:

[nalwalovaton@CDPLIN11 selinux]$ rpm -V postfix
S.5....T.  c /etc/postfix/header_checks
S.5....T.  c /etc/postfix/main.cf
S.5....T.  c /etc/postfix/master.cf
S.5....T.  c /etc/postfix/transport
Comment 5 Daniel Walsh 2013-01-08 14:28:41 UTC 
Any chance you are using kerberos?
Comment 6 William Lovaton 2013-01-08 14:40:09 UTC 
Mmmm... I'm using SASL authentication through Dovecot and Dovecot itself authenticates against Active Directory and a custom MySQL Database.
Comment 7 Daniel Walsh 2013-01-08 15:35:12 UTC 
I have no problem allowing it to list, but I am not sure what it is looking for.
Comment 8 Daniel Walsh 2013-01-08 15:35:55 UTC 
Nalin would you have any idea what is going on?
Comment 9 RHEL Program Management 2013-01-12 06:47:20 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 13 errata-xmlrpc 2013-11-21 10:14:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html