[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: mailq.postfix.gz.1 incorrectly labeled in FC6T1



James Antill wrote:
On Fri, 2006-07-14 at 07:59 +0100, Paul Howarth wrote:
On Thu, 2006-07-13 at 19:44 -0500, Jay Cliburn wrote:
After installing postfix under FC6T1, I kept getting this avc:

audit(1152836951.218:8): avc:  denied  { getattr } for  pid=3130
comm="sh" name="mailq.postfix.1.gz" dev=dm-0 ino=1084752
scontext=user_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:man_t:s0 tclass=file

It's a manpage and it looks to me like it came from the factory labeled
incorrectly.  A chcon to system_u:object_r:man_t seems to have fixed it.
This has been seen before on FC5:

http://www.redhat.com/archives/fedora-selinux-list/2006-June/msg00021.html

It appears to happen when postfix is started. The AVC suggests that the
manpage already has the correct context, and the strange thing is that
the postfix master program is tying to access it (why should that be?).

 AIUI postfix looks for where the documentation is for error messages to
the user (Ie. look at the documentation at X to help solve problem Y).

Excellent! A sane explanation :-)

I suggest adding the following to the postfix policy:

# Postfix master process looking for its man pages so that it can refer
# to them in error messages
# (e.g. look at the documentation at X to help solve problem Y)
miscfiles_read_man_pages(postfix_master_t)

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]