-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 freeslkr wrote: > freeslkr <freeslkr.wl6x <at> mailnull.com> writes: > >> Hello, >> >> I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs >> everytime postfix delivers mail to the maildir directories. It looks >> like postfix doesn't have permission to create files. For example, >> >> from /var/log/messages: >> >> SELinux is preventing local (postfix_local_t) "link" to >> ./1208923427.P3686.myhost (mail_spool_t) >> >> from /var/log/audit/audit.log: >> >> type=AVC msg=audit(1208923427.350:95): avc: denied { link } for >> pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3 >> ino=819271 scontext=system_u:system_r:postfix_local_t:s0 >> tcontext=system_u:object_r:mail_spool_t:s0 tclass=file >> >> type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e >> syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0 >> a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0 >> euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) >> comm="local" exe="/usr/libexec/postfix/local" >> subj=system_u:system_r:postfix_local_t:s0 key=(null) >> >> Is my interpretation correct. If so, is it likely that this could be >> corrected in a future policy version? >> >> Thank you for you help > > I'll first note that reverting to mbox files in /var/spool/mail works > just fine. > > Blundering along here ... > > file:///usr/share/doc/selinux-policy-3.0.8/html/services_postfix.html > says > > allow_postfix_local_write_mail_spool > Default value: false > Description: Allow postfix_local domain full write access to mail_spool > directories > > This sounds like what I need. But, it seems that it's already set. > > $ getsebool allow_postfix_local_write_mail_spool > allow_postfix_local_write_mail_spool --> on > > $ cd /var/spool > $ ls -Zd mail > drwxrwxr-x root mail system_u:object_r:mail_spool_t:s0 mail > > $ ls -Zd mail/* > drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX > > $ ls -Zd mail/*/* > drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/cur > drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/new > drwxrwx--- XXXX mail system_u:object_r:mail_spool_t:s0 mail/XXXX/tmp > > $ ls -Z mail/*/*/new > -rw------- XXXX XXXX system_u:object_r:mail_spool_t:s0 > 1209227463.Vfd03Ic8046M24695.myhost > > To me, it _looks_ postfix should be able to create new files in > /var/spool/mail/*/*, but this is being denied. > > In the selinux-policy source rpm, there are three files that seem to be > related to postfix: postfix.{fc,if,te}. Obviously, I don't understand how > all of this works, but there are no direct references to mail_spool_t or > /var/spool/mail or /var/mail in these files. > > /var/spool/postfix has type postfix_spool_t, so naively I try > > $ chcon --recursive --type postfix_spool_t /var/spool/mail > > but that causes numerous AVC denied messages. > > Using audit2allow: > > $ grep -e postfix -e mail /var/log/audit/audit.log | audit2allow > #============= postfix_local_t ============== > allow postfix_local_t mail_spool_t:file link; > > Now, if I can just figure out what to do with this .... Thanks to anyone > that shares some insight here. > a > $ # grep -e postfix -e mail /var/log/audit/audit.log | audit2allow -m mypostfix # semodule -i mypostfix.pp Will update your policy with this. > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgbOTsACgkQrlYvE4MpobObJwCdH5lGclRBxi0JvKseEma00R5+ KukAniB1hkfywjtJNAyAsttFpb7UzTaH =5yJY -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list