FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-23-2008, 04:59 AM
freeslkr
 
Default postfix with maildir delivery

Hello,

I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
everytime postfix delivers mail to the maildir directories. It looks
like postfix doesn't have permission to create files. For example,

from /var/log/messages:

SELinux is preventing local (postfix_local_t) "link" to
./1208923427.P3686.myhost (mail_spool_t)

from /var/log/audit/audit.log:

type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
ino=819271 scontext=system_u:system_rostfix_local_t:s0
tcontext=system_ubject_r:mail_spool_t:s0 tclass=file

type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
comm="local" exe="/usr/libexec/postfix/local"
subj=system_u:system_rostfix_local_t:s0 key=(null)

Is my interpretation correct. If so, is it likely that this could be
corrected in a future policy version?

Thank you for you help

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-23-2008, 05:33 PM
Anne Wilson
 
Default postfix with maildir delivery

On Wednesday 23 April 2008 05:59, freeslkr wrote:
> Hello,
>
> I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
> everytime postfix delivers mail to the maildir directories. It looks
> like postfix doesn't have permission to create files. For example,
>
> from /var/log/messages:
>
> SELinux is preventing local (postfix_local_t) "link" to
> ./1208923427.P3686.myhost (mail_spool_t)
>
> from /var/log/audit/audit.log:
>
> type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
> pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
> ino=819271 scontext=system_u:system_rostfix_local_t:s0
> tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
> syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
> a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
> euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
> comm="local" exe="/usr/libexec/postfix/local"
> subj=system_u:system_rostfix_local_t:s0 key=(null)
>
> Is my interpretation correct. If so, is it likely that this could be
> corrected in a future policy version?
>
Try 'sealert -b' and find the message relating to this. It will give you a
command to run, to tell selinux that you need this.

Anne

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-24-2008, 05:17 AM
freeslkr
 
Default postfix with maildir delivery

Anne Wilson <cannewilson <at> googlemail.com> writes:

> On Wednesday 23 April 2008 05:59, freeslkr wrote:
> > Hello,
> >
> > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
> > everytime postfix delivers mail to the maildir directories. It looks
> > like postfix doesn't have permission to create files. For example,
> >
> > from /var/log/messages:
> >
> > SELinux is preventing local (postfix_local_t) "link" to
> > ./1208923427.P3686.myhost (mail_spool_t)
> >
> > from /var/log/audit/audit.log:
> >
> > type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
> > pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
> > ino=819271 scontext=system_u:system_rostfix_local_t:s0
> > tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
> > syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
> > a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
> > euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
> > comm="local" exe="/usr/libexec/postfix/local"
> > subj=system_u:system_rostfix_local_t:s0 key=(null)
> >
> > Is my interpretation correct. If so, is it likely that this could be
> > corrected in a future policy version?
> >
> Try 'sealert -b' and find the message relating to this. It will give you a
> command to run, to tell selinux that you need this.
>
> Anne

This yields:

Summary

SELinux is preventing local (postfix_local_t) "link" to
./1208923427.P3686.myhost (mail_spool_t).

Detailed Description

[SELinux is in permissive mode, the operation would have been
denied but was permitted due to permissive mode.]

SELinux denied access requested by local. It is not expected that this
access is required by local and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.

Allowing Access

Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for ./1208923427.P3686.myhost,
restorecon -v './1208923427.P3686.myhost' If this does not work, there
is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ Or you
can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information

Source Context: system_u:system_rostfix_local_t:s0
Target Context: system_ubject_r:mail_spool_t:s0
Target Objects: ./1208923427.P3686.myhost [ file ]
Source: local
Source Path: /usr/libexec/postfix/local
Port: <Unknown>
Host: myhost
Source RPM Packages: postfix-2.4.5-2.fc8
Target RPM Packages:
Policy RPM: selinux-policy-3.0.8-95.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: myhost
Platform: Linux myhost 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49
EDT 2008 x86_64 x86_64
Alert Count: 1
First Seen: Tue 22 Apr 2008 10:03:47 PM MDT
Last Seen: Tue 22 Apr 2008 10:03:47 PM MDT
Local ID: fb3bbd5f-23c2-40f2-a656-f02a0ce7fab7
Line Numbers:

Furthermore, `grep postfix audit.log | audit2allow` gives

#============= postfix_local_t ==============
allow postfix_local_t mail_spool_t:file link;


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-24-2008, 07:59 AM
Anne Wilson
 
Default postfix with maildir delivery

On Thursday 24 April 2008 06:17:44 freeslkr wrote:
> Sometimes labeling problems can cause SELinux denials. You could try
> * to restore the default system file context for ./1208923427.P3686.myhost,
> * restorecon -v './1208923427.P3686.myhost'

That looks as though it is a message address? If so, I'd
try "restorecon -v 'yourMailDirectory'. Usually it's enough to just copy the
restorecon and paste it into a root terminal. Maybe someone with more
selinux skill will tell you a better solution than mine, but I think it would
be OK.

Anne
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-27-2008, 04:19 AM
freeslkr
 
Default postfix with maildir delivery

freeslkr <freeslkr.wl6x <at> mailnull.com> writes:

> Hello,
>
> I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
> everytime postfix delivers mail to the maildir directories. It looks
> like postfix doesn't have permission to create files. For example,
>
> from /var/log/messages:
>
> SELinux is preventing local (postfix_local_t) "link" to
> ./1208923427.P3686.myhost (mail_spool_t)
>
> from /var/log/audit/audit.log:
>
> type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
> pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
> ino=819271 scontext=system_u:system_rostfix_local_t:s0
> tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
> syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
> a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
> euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
> comm="local" exe="/usr/libexec/postfix/local"
> subj=system_u:system_rostfix_local_t:s0 key=(null)
>
> Is my interpretation correct. If so, is it likely that this could be
> corrected in a future policy version?
>
> Thank you for you help

I'll first note that reverting to mbox files in /var/spool/mail works
just fine.

Blundering along here ...

file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html
says

allow_postfix_local_write_mail_spool
Default value: false
Description: Allow postfix_local domain full write access to mail_spool
directories

This sounds like what I need. But, it seems that it's already set.

$ getsebool allow_postfix_local_write_mail_spool
allow_postfix_local_write_mail_spool --> on

$ cd /var/spool
$ ls -Zd mail
drwxrwxr-x root mail system_ubject_r:mail_spool_t:s0 mail

$ ls -Zd mail/*
drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX

$ ls -Zd mail/*/*
drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/cur
drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/new
drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/tmp

$ ls -Z mail/*/*/new
-rw------- XXXX XXXX system_ubject_r:mail_spool_t:s0
1209227463.Vfd03Ic8046M24695.myhost

To me, it _looks_ postfix should be able to create new files in
/var/spool/mail/*/*, but this is being denied.

In the selinux-policy source rpm, there are three files that seem to be
related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how
all of this works, but there are no direct references to mail_spool_t or
/var/spool/mail or /var/mail in these files.

/var/spool/postfix has type postfix_spool_t, so naively I try

$ chcon --recursive --type postfix_spool_t /var/spool/mail

but that causes numerous AVC denied messages.

Using audit2allow:

$ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow
#============= postfix_local_t ==============
allow postfix_local_t mail_spool_t:file link;

Now, if I can just figure out what to do with this .... Thanks to anyone
that shares some insight here.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-02-2008, 03:54 PM
Daniel J Walsh
 
Default postfix with maildir delivery

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

freeslkr wrote:
> freeslkr <freeslkr.wl6x <at> mailnull.com> writes:
>
>> Hello,
>>
>> I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
>> everytime postfix delivers mail to the maildir directories. It looks
>> like postfix doesn't have permission to create files. For example,
>>
>> from /var/log/messages:
>>
>> SELinux is preventing local (postfix_local_t) "link" to
>> ./1208923427.P3686.myhost (mail_spool_t)
>>
>> from /var/log/audit/audit.log:
>>
>> type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
>> pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
>> ino=819271 scontext=system_u:system_rostfix_local_t:s0
>> tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
>>
>> type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
>> syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
>> a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
>> euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
>> comm="local" exe="/usr/libexec/postfix/local"
>> subj=system_u:system_rostfix_local_t:s0 key=(null)
>>
>> Is my interpretation correct. If so, is it likely that this could be
>> corrected in a future policy version?
>>
>> Thank you for you help
>
> I'll first note that reverting to mbox files in /var/spool/mail works
> just fine.
>
> Blundering along here ...
>
> file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html
> says
>
> allow_postfix_local_write_mail_spool
> Default value: false
> Description: Allow postfix_local domain full write access to mail_spool
> directories
>
> This sounds like what I need. But, it seems that it's already set.
>
> $ getsebool allow_postfix_local_write_mail_spool
> allow_postfix_local_write_mail_spool --> on
>
> $ cd /var/spool
> $ ls -Zd mail
> drwxrwxr-x root mail system_ubject_r:mail_spool_t:s0 mail
>
> $ ls -Zd mail/*
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX
>
> $ ls -Zd mail/*/*
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/cur
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/new
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/tmp
>
> $ ls -Z mail/*/*/new
> -rw------- XXXX XXXX system_ubject_r:mail_spool_t:s0
> 1209227463.Vfd03Ic8046M24695.myhost
>
> To me, it _looks_ postfix should be able to create new files in
> /var/spool/mail/*/*, but this is being denied.
>
> In the selinux-policy source rpm, there are three files that seem to be
> related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how
> all of this works, but there are no direct references to mail_spool_t or
> /var/spool/mail or /var/mail in these files.
>
> /var/spool/postfix has type postfix_spool_t, so naively I try
>
> $ chcon --recursive --type postfix_spool_t /var/spool/mail
>
> but that causes numerous AVC denied messages.
>
> Using audit2allow:
>
> $ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow
> #============= postfix_local_t ==============
> allow postfix_local_t mail_spool_t:file link;
>
> Now, if I can just figure out what to do with this .... Thanks to anyone
> that shares some insight here.
>
a
> $
# grep -e postfix -e mail /var/log/audit/audit.log | audit2allow -m
mypostfix
# semodule -i mypostfix.pp

Will update your policy with this.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgbOTsACgkQrlYvE4MpobObJwCdH5lGclRBxi 0JvKseEma00R5+
KukAniB1hkfywjtJNAyAsttFpb7UzTaH
=5yJY
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-02-2008, 03:57 PM
Daniel J Walsh
 
Default postfix with maildir delivery

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

freeslkr wrote:
> freeslkr <freeslkr.wl6x <at> mailnull.com> writes:
>
>> Hello,
>>
>> I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
>> everytime postfix delivers mail to the maildir directories. It looks
>> like postfix doesn't have permission to create files. For example,
>>
>> from /var/log/messages:
>>
>> SELinux is preventing local (postfix_local_t) "link" to
>> ./1208923427.P3686.myhost (mail_spool_t)
>>
>> from /var/log/audit/audit.log:
>>
>> type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
>> pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
>> ino=819271 scontext=system_u:system_rostfix_local_t:s0
>> tcontext=system_ubject_r:mail_spool_t:s0 tclass=file
>>
>> type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
>> syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
>> a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
>> euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
>> comm="local" exe="/usr/libexec/postfix/local"
>> subj=system_u:system_rostfix_local_t:s0 key=(null)
>>
>> Is my interpretation correct. If so, is it likely that this could be
>> corrected in a future policy version?
>>
>> Thank you for you help
>
> I'll first note that reverting to mbox files in /var/spool/mail works
> just fine.
>
> Blundering along here ...
>
> file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html
> says
>
> allow_postfix_local_write_mail_spool
> Default value: false
> Description: Allow postfix_local domain full write access to mail_spool
> directories
>
> This sounds like what I need. But, it seems that it's already set.
>
> $ getsebool allow_postfix_local_write_mail_spool
> allow_postfix_local_write_mail_spool --> on
>
> $ cd /var/spool
> $ ls -Zd mail
> drwxrwxr-x root mail system_ubject_r:mail_spool_t:s0 mail
>
> $ ls -Zd mail/*
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX
>
> $ ls -Zd mail/*/*
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/cur
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/new
> drwxrwx--- XXXX mail system_ubject_r:mail_spool_t:s0 mail/XXXX/tmp
>
> $ ls -Z mail/*/*/new
> -rw------- XXXX XXXX system_ubject_r:mail_spool_t:s0
> 1209227463.Vfd03Ic8046M24695.myhost
>
> To me, it _looks_ postfix should be able to create new files in
> /var/spool/mail/*/*, but this is being denied.
>
> In the selinux-policy source rpm, there are three files that seem to be
> related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how
> all of this works, but there are no direct references to mail_spool_t or
> /var/spool/mail or /var/mail in these files.
>
> /var/spool/postfix has type postfix_spool_t, so naively I try
>
> $ chcon --recursive --type postfix_spool_t /var/spool/mail
>
> but that causes numerous AVC denied messages.
>
> Using audit2allow:
>
> $ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow
> #============= postfix_local_t ==============
> allow postfix_local_t mail_spool_t:file link;
>
> Now, if I can just figure out what to do with this .... Thanks to anyone
> that shares some insight here.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Also I believe this is fixed in selinux-policy-3.0.8-108
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgbOdAACgkQrlYvE4MpobOIkwCeNK1SzOCrp1 n/31AGZfD41XZp
UqYAn3sGQ5q8xGczPp30kjdXWhBSee2l
=pdc7
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 05-02-2008, 11:13 PM
freeslkr
 
Default postfix with maildir delivery

Daniel J Walsh <dwalsh <at> redhat.com> writes:

> # grep -e postfix -e mail /var/log/audit/audit.log | audit2allow -m
> mypostfix
> # semodule -i mypostfix.pp
>
> Will update your policy with this.

Thank you. This works as expected.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 10:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org