Looks like this is allowed in rhel6.5 policy. You could try selinux-policy-3.7.19-235.el6 on people.redhat.com/dwalsh/SELinux/RHEL6 On 04/23/2014 01:51 PM, James B. Byrne wrote: > Installed Packages > Name : postfix > Arch : x86_64 > Epoch : 2 > Version : 2.6.6 > Release : 6.el6_5 > Size : 9.7 M > Repo : installed > >From repo : updates > > I am seeing several of these in our maillog file after a restart of the > Postfix service: > > Apr 23 12:48:27 inet08 setroubleshoot: SELinux is preventing > /usr/libexec/postfix/smtp from 'read, write' accesses on the file 546AA6099F. > For complete SELinux messages. run sealert -l > b95663bb-12ce-4f34-9537-dd88a41359e5 > > sealert -l b95663bb-12ce-4f34-9537-dd88a41359e5 > SELinux is preventing /usr/libexec/postfix/smtp from 'read, write' accesses on > the file 546AA6099F. > > ***** Plugin catchall (100. confidence) suggests *************************** > > If you believe that smtp should be allowed read write access on the 546AA6099F > file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep smtp /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > grep 546AA6099F /var/log/audit/audit.log | audit2why > > > type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for > pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for > pid=23387 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398199927.800:29411): avc: denied { getattr } for > pid=24131 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398199927.805:29412): avc: denied { read write } for > pid=24131 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398201500.778:29495): avc: denied { getattr } for > pid=25406 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398201500.779:29496): avc: denied { read write } for > pid=25406 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398204425.415:29681): avc: denied { getattr } for > pid=26964 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398204425.419:29682): avc: denied { read write } for > pid=26964 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398208625.418:29910): avc: denied { getattr } for > pid=29240 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398208625.419:29911): avc: denied { read write } for > pid=29240 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398212826.339:30139): avc: denied { getattr } for > pid=31325 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398212826.343:30140): avc: denied { read write } for > pid=31325 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398217026.114:30368): avc: denied { getattr } for > pid=855 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398217026.114:30369): avc: denied { read write } for > pid=855 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398221225.239:30628): avc: denied { getattr } for > pid=2652 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398221225.240:30629): avc: denied { read write } for > pid=2652 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398225425.850:30863): avc: denied { getattr } for > pid=4556 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398225425.851:30864): avc: denied { read write } for > pid=4556 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398229625.107:31116): avc: denied { getattr } for > pid=6545 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398229625.108:31117): avc: denied { read write } for > pid=6545 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398233825.788:31345): avc: denied { getattr } for > pid=8322 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398233825.789:31346): avc: denied { read write } for > pid=8322 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398238025.329:31580): avc: denied { getattr } for > pid=10706 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398238025.329:31581): avc: denied { read write } for > pid=10706 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398242226.269:31819): avc: denied { getattr } for > pid=12510 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398242226.272:31820): avc: denied { read write } for > pid=12510 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398246425.661:32081): avc: denied { getattr } for > pid=14363 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398246425.663:32082): avc: denied { read write } for > pid=14363 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398250626.380:32316): avc: denied { getattr } for > pid=16384 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398250626.381:32317): avc: denied { read write } for > pid=16384 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398254826.134:32581): avc: denied { getattr } for > pid=18686 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398254826.136:32582): avc: denied { read write } for > pid=18686 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398259025.251:32834): avc: denied { getattr } for > pid=20593 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398259025.252:32835): avc: denied { read write } for > pid=20593 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398263323.263:33063): avc: denied { getattr } for > pid=23647 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398263323.263:33064): avc: denied { read write } for > pid=23647 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398267592.473:33300): avc: denied { getattr } for > pid=27690 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398267592.474:33301): avc: denied { read write } for > pid=27690 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398271701.024:33555): avc: denied { getattr } for > pid=31449 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398271701.025:33556): avc: denied { read write } for > pid=31449 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398271701.025:33556): avc: denied { open } for > pid=31449 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679 > scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > type=AVC msg=audit(1398271701.025:33557): avc: denied { lock } for > pid=31449 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 > ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 > tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file > > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > > > Is this the result of something I may have done like restarting postfix or is > this a real bug/error/defect/? > > > _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos