Postfix, /root/.forward, SELinux, F9, Strange AVC

Brian Chadwick brianchad at westnet.com.au
Sun Aug 24 03:13:11 UTC 2008 

Hi All.

Well, I have scoured the docs and cant find anything that looks like the 
problem I am having here.

I have a .forward file in /root .. Mail to root should divert to my user 
account, but SELinux stops Postfix from doing so. If I set SELinux to 
permissive, then it works, but of course logs the same AVC. 
SETroubleshooter says to restorecon -R './root' ... ./root is a relative 
path ... so what does this mean? It doesnt work.

[root at admin ~]# restorecon -R -v './root'
restorecon:  stat error on ./root:  No such file or directory
[root at admin ~]#

.forward File Context:

[root at admin ~]# ls -Z /root/.forward
-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 /root/.forward
[root at admin ~]#

Postix Booleans:

getsebool -a | grep post
allow_postfix_local_write_mail_spool --> on
allow_user_postgresql_connect --> off
[root at admin ~]#

Raw Audit Messages :

host=admin.brianac.com.au type=AVC msg=audit(1219546087.579:2125): avc: 
denied { search } for pid=26716 comm="local" name="root" dev=dm-7 
ino=63489 scontext=system_u:system_r:postfix_local_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

host=admin.brianac.com.au type=SYSCALL msg=audit(1219546087.579:2125): 
arch=40000003 syscall=196 success=no exit=-13 a0=b8079568 a1=bfe2b844 
a2=7dfff4 a3=0 items=0 ppid=3274 pid=26716 auid=4294967295 uid=0 gid=0 
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 
comm="local" exe="/usr/libexec/postfix/local" 
subj=system_u:system_r:postfix_local_t:s0 key=(null)

Output from Troubleshooter:

Summary

SELinux is preventing the local from using potentially mislabeled files 
(./root).

Detailed Description

SELinux has denied local access to potentially mislabeled file(s) 
(./root). This means that SELinux will not allow local to use these 
files. It is common for users to edit files in their home directory or 
tmp directories and then move (mv) them to system directories. The 
problem is that the files end up with the wrong file context which 
confined applications are not allowed to access.

Allowing Access

If you want local to access this files, you need to relabel them using 
restorecon -v './root'. You might want to relabel the entire directory 
using restorecon -R -v './root'.

Additional Information

Source Context:  system_u:system_r:postfix_local_t:s0
Target Context:  system_u:object_r:admin_home_t:s0
Target Objects:  ./root [ dir ]Source:  local
Source Path:  /usr/libexec/postfix/local
Port:  <Unknown>
Host:  admin.brianac.com.au
Source RPM Packages:  postfix-2.5.1-2.fc9
Target RPM Packages:  filesystem-2.4.13-1.fc9
Policy RPM:  selinux-policy-3.3.1-84.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  home_tmp_bad_labels
Host Name:  admin.brianac.com.au
Platform:  Linux admin.brianac.com.au 2.6.25.14-108.fc9.i686 #1 SMP Mon Aug

Troubleshooter says to restorecon for ./root. What is this? .. That is a 
relative path, not a full path.

Can anyone help decipher this AVC and provide a fix?

Cheers and Beers

Brian

-- 
Political Correctness is a doctrine, fostered by a delusional, illogical minority, and rabidly promoted by an unscrupulous mainstream media, which holds forth the proposition that it is entirely possible to pick up a turd by the clean end.

More information about the fedora-selinux-list mailing list