Bug 985452 - SELinux AVC denials for deferred messages in Postfix after restoring default context
SELinux AVC denials for deferred messages in Postfix after restoring default ...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
Depends On:
  Show dependency treegraph
Reported: 2013-07-17 10:05 EDT by Jakub Hradil
Modified: 2014-09-30 19:35 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-21 05:45:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jakub Hradil 2013-07-17 10:05:55 EDT
Description of problem:
After running restorecon -R on /var/spool/postfix/deferred (type is changed from postfix_spool_t to postfix_spool_maildrop_t) messages in this queue cannot be sent anymore due to AVC denials.

Version-Release number of selected component (if applicable):
postfix: 2.6.6-2.2.el6_1
selinux-policy: 3.7.19-195.el6_4.12

Steps to Reproduce:
1. iptables -I OUTPUT -p tcp --dport 25 -j REJECT # or similar

2. Send e-mail via local postfix installation to remote destination

3. Check context of the message in deferred directory
ls -Z /var/spool/postfix/deferred/E/
-rwx------. postfix postfix system_u:object_r:postfix_spool_t:s0 EAAC273

4. Restore default context for /var/spool/postfix/deferred/
restorecon -R -v /var/spool/postfix/deferred/
restorecon reset /var/spool/postfix/deferred/E/EAAC273 context system_u:object_r:postfix_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
ls -Z /var/spool/postfix/deferred/E/
-rwx------. postfix postfix system_u:object_r:postfix_spool_maildrop_t:s0 EAAC273

5. Remove previously set iptables rule

5. postqueue -f

6. See AVC denied in /var/log/audit/audit.log
seaudit-report /var/log/audit/audit.log
Jul 17 14:41:31 (null) (null): audit(1374064891.485:80591): avc: denied { getattr } for pid=13348 comm=smtp path="/var/spool/postfix/active/EAAC273" ino=115 dev=dm-5 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file 
Jul 17 14:41:31 (null) (null): audit(1374064891.485:80592): avc: denied { read write } for pid=13348 comm=smtp name=EAAC273 ino=115 dev=dm-5 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=file 

Actual results:
Messages are stuck in deferred queue, AVC denials are logged.

Expected results:
Messages sent with no AVC denials.

Additional info:
matchpathcon /var/spool/postfix/deferred/E/EAAC273
/var/spool/postfix/deferred/E/EAAC273	system_u:object_r:postfix_spool_maildrop_t:s0

This issue was discussed/mentioned at http://oss.tresys.com/pipermail/refpolicy/2012-November/006039.html and in bug 769819, comment 5.

I also noticed that system_u:object_r:postfix_spool_maildrop_t:s0 as the default context for /var/spool/postfix/deferred directory does not come from serefpolicy, but is added in policy-F13.patch. Don't know why it was added there.
Comment 2 Miroslav Grepl 2013-07-22 09:04:10 EDT
We allow it in Fedora.

#============= postfix_smtp_t ==============

#!!!! This avc is allowed in the current policy
allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
Comment 5 errata-xmlrpc 2013-11-21 05:45:50 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.