Anne Wilson <cannewilson <at> googlemail.com> writes:
> On Wednesday 23 April 2008 05:59, freeslkr wrote:
> > Hello,
> >
> > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
> > everytime postfix delivers mail to the maildir directories. It looks
> > like postfix doesn't have permission to create files. For example,
> >
> > from /var/log/messages:
> >
> > SELinux is preventing local (postfix_local_t) "link" to
> > ./1208923427.P3686.myhost (mail_spool_t)
> >
> > from /var/log/audit/audit.log:
> >
> > type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
> > pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
> > ino=819271 scontext=system_u:system_r:postfix_local_t:s0
> > tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
> >
> > type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
> > syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
> > a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
> > euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
> > comm="local" exe="/usr/libexec/postfix/local"
> > subj=system_u:system_r:postfix_local_t:s0 key=(null)
> >
> > Is my interpretation correct. If so, is it likely that this could be
> > corrected in a future policy version?
> >
> Try 'sealert -b' and find the message relating to this. It will give you a
> command to run, to tell selinux that you need this.
>
> Anne
This yields:
Summary
SELinux is preventing local (postfix_local_t) "link" to
./1208923427.P3686.myhost (mail_spool_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been
denied but was permitted due to permissive mode.]
SELinux denied access requested by local. It is not expected that this
access is required by local and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration
of the application is causing it to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for ./1208923427.P3686.myhost,
restorecon -v './1208923427.P3686.myhost' If this does not work, there
is currently no automatic way to allow this access. Instead, you can
generate a local policy module to allow this access - see FAQ Or you
can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.
Additional Information
Source Context: system_u:system_r:postfix_local_t:s0
Target Context: system_u:object_r:mail_spool_t:s0
Target Objects: ./1208923427.P3686.myhost [ file ]
Source: local
Source Path: /usr/libexec/postfix/local
Port: <Unknown>
Host: myhost
Source RPM Packages: postfix-2.4.5-2.fc8
Target RPM Packages:
Policy RPM: selinux-policy-3.0.8-95.fc8
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall_file
Host Name: myhost
Platform: Linux myhost 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49
EDT 2008 x86_64 x86_64
Alert Count: 1
First Seen: Tue 22 Apr 2008 10:03:47 PM MDT
Last Seen: Tue 22 Apr 2008 10:03:47 PM MDT
Local ID: fb3bbd5f-23c2-40f2-a656-f02a0ce7fab7
Line Numbers:
Furthermore, `grep postfix audit.log | audit2allow` gives
#============= postfix_local_t ==============
allow postfix_local_t mail_spool_t:file link;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
