postfix with maildir delivery

freeslkr freeslkr.wl6x at mailnull.com
Thu Apr 24 05:17:44 UTC 2008 

Anne Wilson <cannewilson <at> googlemail.com> writes:

> On Wednesday 23 April 2008 05:59, freeslkr wrote:
> > Hello,
> >
> > I'm trying out SELinux on Fedora 8 in permissive mode. I get AVCs
> > everytime postfix delivers mail to the maildir directories. It looks
> > like postfix doesn't have permission to create files. For example,
> >
> > from /var/log/messages:
> >
> > 	SELinux is preventing local (postfix_local_t) "link" to
> > 	./1208923427.P3686.myhost (mail_spool_t)
> >
> > from /var/log/audit/audit.log:
> >
> > 	type=AVC msg=audit(1208923427.350:95): avc: denied { link } for
> > 	pid=3686 comm="local" name="1208923427.P3686.myhost" dev=dm-3
> > 	ino=819271 scontext=system_u:system_r:postfix_local_t:s0
> > 	tcontext=system_u:object_r:mail_spool_t:s0 tclass=file
> >
> > 	type=SYSCALL msg=audit(1208923427.350:95): arch=c000003e
> > 	syscall=86 success=yes exit=0 a0=2aaaaad599c0 a1=2aaaaad59ba0
> > 	a2=0 a3=0 items=0 ppid=2371 pid=3686 auid=4294967295 uid=0 gid=0
> > 	euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none)
> > 	comm="local" exe="/usr/libexec/postfix/local"
> > 	subj=system_u:system_r:postfix_local_t:s0 key=(null)
> >
> > Is my interpretation correct. If so, is it likely that this could be
> > corrected in a future policy version?
> >
> Try 'sealert -b' and find the message relating to this.  It will give you a 
> command to run, to tell selinux that you need this.
> 
> Anne

This yields:

  Summary

  SELinux is preventing local (postfix_local_t) "link" to
  ./1208923427.P3686.myhost (mail_spool_t).

  Detailed Description

  [SELinux is in permissive mode, the operation would have been
  denied but was permitted due to permissive mode.]

  SELinux denied access requested by local. It is not expected that this
  access is required by local and this access may signal an intrusion
  attempt. It is also possible that the specific version or configuration
  of the application is causing it to require additional access.

  Allowing Access

  Sometimes labeling problems can cause SELinux denials. You could try
  to restore the default system file context for ./1208923427.P3686.myhost,
  restorecon -v './1208923427.P3686.myhost' If this does not work, there
  is currently no automatic way to allow this access. Instead, you can
  generate a local policy module to allow this access - see FAQ Or you
  can disable SELinux protection altogether. Disabling SELinux
  protection is not recommended. Please file a bug report against this
  package.

  Additional Information

  Source Context:  system_u:system_r:postfix_local_t:s0
  Target Context:  system_u:object_r:mail_spool_t:s0
  Target Objects:  ./1208923427.P3686.myhost [ file ]
  Source:  local
  Source Path:  /usr/libexec/postfix/local
  Port:  <Unknown>
  Host:  myhost
  Source RPM Packages:  postfix-2.4.5-2.fc8
  Target RPM Packages:
  Policy RPM:  selinux-policy-3.0.8-95.fc8
  Selinux Enabled:  True
  Policy Type:  targeted
  MLS Enabled:  True
  Enforcing Mode:  Permissive
  Plugin Name:  catchall_file
  Host Name:  myhost
  Platform:  Linux myhost 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49
    EDT 2008 x86_64 x86_64
  Alert Count:  1
  First Seen:  Tue 22 Apr 2008 10:03:47 PM MDT
  Last Seen:  Tue 22 Apr 2008 10:03:47 PM MDT
  Local ID:  fb3bbd5f-23c2-40f2-a656-f02a0ce7fab7
  Line Numbers:  

Furthermore, `grep postfix audit.log | audit2allow` gives

  #============= postfix_local_t ==============
  allow postfix_local_t mail_spool_t:file link;

More information about the fedora-selinux-list mailing list