Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Thank you for you help
On Wednesday 23 April 2008 05:59, freeslkr wrote:
Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Try 'sealert -b' and find the message relating to this. It will give you a command to run, to tell selinux that you need this.
Anne
Anne Wilson <cannewilson <at> googlemail.com> writes:
On Wednesday 23 April 2008 05:59, freeslkr wrote:
Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Try 'sealert -b' and find the message relating to this. It will give you a command to run, to tell selinux that you need this.
Anne
This yields:
Summary
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux denied access requested by local. It is not expected that this access is required by local and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./1208923427.P3686.myhost, restorecon -v './1208923427.P3686.myhost' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.
Additional Information
Source Context: system_u:system_r:postfix_local_t:s0 Target Context: system_u:object_r:mail_spool_t:s0 Target Objects: ./1208923427.P3686.myhost [ file ] Source: local Source Path: /usr/libexec/postfix/local Port: <Unknown> Host: myhost Source RPM Packages: postfix-2.4.5-2.fc8 Target RPM Packages: Policy RPM: selinux-policy-3.0.8-95.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall_file Host Name: myhost Platform: Linux myhost 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count: 1 First Seen: Tue 22 Apr 2008 10:03:47 PM MDT Last Seen: Tue 22 Apr 2008 10:03:47 PM MDT Local ID: fb3bbd5f-23c2-40f2-a656-f02a0ce7fab7 Line Numbers:
Furthermore, `grep postfix audit.log | audit2allow` gives
#============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link;
On Thursday 24 April 2008 06:17:44 freeslkr wrote:
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./1208923427.P3686.myhost, restorecon -v './1208923427.P3686.myhost'
That looks as though it is a message address? If so, I'd try "restorecon -v 'yourMailDirectory'. Usually it's enough to just copy the restorecon and paste it into a root terminal. Maybe someone with more selinux skill will tell you a better solution than mine, but I think it would be OK.
Anne
freeslkr <freeslkr.wl6x <at> mailnull.com> writes:
Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Thank you for you help
I'll first note that reverting to mbox files in /var/spool/mail works just fine.
Blundering along here ...
file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html says
allow_postfix_local_write_mail_spool Default value: false Description: Allow postfix_local domain full write access to mail_spool directories
This sounds like what I need. But, it seems that it's already set.
$ getsebool allow_postfix_local_write_mail_spool allow_postfix_local_write_mail_spool --> on
$ cd /var/spool $ ls -Zd mail drwxrwxr-x root mail system_u:object_r:mail_spool_t:s0 mail
$ ls -Zd mail/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX
$ ls -Zd mail/*/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/cur drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/new drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/tmp
$ ls -Z mail/*/*/new -rw------- XXXX XXXX system_u:object_r:mail_spool_t:s0 1209227463.Vfd03Ic8046M24695.myhost
To me, it _looks_ postfix should be able to create new files in /var/spool/mail/*/*, but this is being denied.
In the selinux-policy source rpm, there are three files that seem to be related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how all of this works, but there are no direct references to mail_spool_t or /var/spool/mail or /var/mail in these files.
/var/spool/postfix has type postfix_spool_t, so naively I try
$ chcon --recursive --type postfix_spool_t /var/spool/mail
but that causes numerous AVC denied messages.
Using audit2allow:
$ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow #============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link;
Now, if I can just figure out what to do with this .... Thanks to anyone that shares some insight here.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
freeslkr wrote:
freeslkr <freeslkr.wl6x <at> mailnull.com> writes:
Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Thank you for you help
I'll first note that reverting to mbox files in /var/spool/mail works just fine.
Blundering along here ...
file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html says
allow_postfix_local_write_mail_spool Default value: false Description: Allow postfix_local domain full write access to mail_spool directories
This sounds like what I need. But, it seems that it's already set.
$ getsebool allow_postfix_local_write_mail_spool allow_postfix_local_write_mail_spool --> on
$ cd /var/spool $ ls -Zd mail drwxrwxr-x root mail system_u:object_r:mail_spool_t:s0 mail
$ ls -Zd mail/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX
$ ls -Zd mail/*/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/cur drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/new drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/tmp
$ ls -Z mail/*/*/new -rw------- XXXX XXXX system_u:object_r:mail_spool_t:s0 1209227463.Vfd03Ic8046M24695.myhost
To me, it _looks_ postfix should be able to create new files in /var/spool/mail/*/*, but this is being denied.
In the selinux-policy source rpm, there are three files that seem to be related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how all of this works, but there are no direct references to mail_spool_t or /var/spool/mail or /var/mail in these files.
/var/spool/postfix has type postfix_spool_t, so naively I try
$ chcon --recursive --type postfix_spool_t /var/spool/mail
but that causes numerous AVC denied messages.
Using audit2allow:
$ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow #============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link;
Now, if I can just figure out what to do with this .... Thanks to anyone that shares some insight here.
a
$
# grep -e postfix -e mail /var/log/audit/audit.log | audit2allow -m mypostfix # semodule -i mypostfix.pp
Will update your policy with this.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
freeslkr wrote:
freeslkr <freeslkr.wl6x <at> mailnull.com> writes:
Hello,
I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs everytime postfix delivers mail to the maildir directories. It looks like postfix doesn't have permission to create files. For example,
from /var/log/messages:
SELinux is preventing local (postfix_local_t) "link" to ./1208923427.P3686.myhost (mail_spool_t)
from /var/log/audit/audit.log:
type=AVC msg=audit(1208923427.350:95): avc: denied { link } for pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 ino=819271 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
Is my interpretation correct. If so, is it likely that this could be corrected in a future policy version?
Thank you for you help
I'll first note that reverting to mbox files in /var/spool/mail works just fine.
Blundering along here ...
file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html says
allow_postfix_local_write_mail_spool Default value: false Description: Allow postfix_local domain full write access to mail_spool directories
This sounds like what I need. But, it seems that it's already set.
$ getsebool allow_postfix_local_write_mail_spool allow_postfix_local_write_mail_spool --> on
$ cd /var/spool $ ls -Zd mail drwxrwxr-x root mail system_u:object_r:mail_spool_t:s0 mail
$ ls -Zd mail/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX
$ ls -Zd mail/*/* drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/cur drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/new drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/tmp
$ ls -Z mail/*/*/new -rw------- XXXX XXXX system_u:object_r:mail_spool_t:s0 1209227463.Vfd03Ic8046M24695.myhost
To me, it _looks_ postfix should be able to create new files in /var/spool/mail/*/*, but this is being denied.
In the selinux-policy source rpm, there are three files that seem to be related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how all of this works, but there are no direct references to mail_spool_t or /var/spool/mail or /var/mail in these files.
/var/spool/postfix has type postfix_spool_t, so naively I try
$ chcon --recursive --type postfix_spool_t /var/spool/mail
but that causes numerous AVC denied messages.
Using audit2allow:
$ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow #============= postfix_local_t ============== allow postfix_local_t mail_spool_t:file link;
Now, if I can just figure out what to do with this .... Thanks to anyone that shares some insight here.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also I believe this is fixed in selinux-policy-3.0.8-108
selinux@lists.fedoraproject.org