new postfix will not run.
John Griffiths
fedora02 at grifent.com
Fri Oct 10 19:06:26 UTC 2008
selinux is preventing the update of postfix to run.
The yum update of postfix includes a directory /var/lib/postfix but
postfix is prevented from using the directory by selinux. I think the
policy needs to be updated.
Summary:
SELinux is preventing master (postfix_master_t) "write" to ./postfix
(var_lib_t).
Detailed Description:
SELinux is preventing master (postfix_master_t) "write" to ./postfix
(var_lib_t). The SELinux type var_lib_t, is a generic type for all files
in the
directory and very few processes (SELinux Domains) are allowed to write
to this
SELinux type. This type of denial usual indicates a mislabeled file. By
default
a file created in a directory has the gets the context of the parent
directory,
but SELinux policy has rules about the creation of directories, that say
if a
process running in one SELinux Domain (D1) creates a file in a directory
with a
particular SELinux File Context (F1) the file gets a different File Context
(F2). The policy usually allows the SELinux Domain (D1) the ability to
write,
unlink, and append on (F2). But if for some reason a file (./postfix) was
created with the wrong context, this domain will be denied. The usual
solution
to this problem is to reset the file context on the target file,
restorecon -v
'./postfix'. If the file context does not change from var_lib_t, then
this is
probably a bug in policy. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the
selinux-policy
package. If it does change, you can try your application again to see if it
works. The file context could have been mislabeled by editing the file
or moving
the file from a different directory, if the file keeps getting
mislabeled, check
the init scripts to see if they are doing something to mislabel the file.
Allowing Access:
You can attempt to fix file context by executing restorecon -v './postfix'
The following command will allow this access:
restorecon './postfix'
Additional Information:
Source Context unconfined_u:system_r:postfix_master_t
Target Context system_u:object_r:var_lib_t
Target Objects ./postfix [ dir ]
Source master
Source Path /usr/libexec/postfix/master
Port <Unknown>
Host elijah.suretrak21.net
Source RPM Packages postfix-2.5.5-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-117.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name mislabeled_file
Host Name elijah.suretrak21.net
Platform Linux elijah.suretrak21.net
2.6.26.5-28.fc8 #1 SMP
Sat Sep 20 09:32:58 EDT 2008 i686 i686
Alert Count 3
First Seen Thu 09 Oct 2008 09:40:21 AM EDT
Last Seen Fri 10 Oct 2008 02:39:57 PM EDT
Local ID b11cda56-461f-44af-8fd8-3866e11f4833
Line Numbers
Raw Audit Messages
host=elijah.suretrak21.net type=AVC msg=audit(1223663997.824:9826):
avc: denied { write } for pid=1805 comm="master" name="postfix"
dev=dm-0 ino=784360 scontext=unconfined_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
host=elijah.suretrak21.net type=SYSCALL msg=audit(1223663997.824:9826):
arch=40000003 syscall=5 success=no exit=-13 a0=b9d8a560 a1=c2 a2=1a4
a3=0 items=0 ppid=1758 pid=1805 auid=500 uid=0 gid=0 euid=89 suid=0
fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=1415 comm="master"
exe="/usr/libexec/postfix/master"
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)
Rather than write a policy change
#============= postfix_master_t ==============
allow postfix_master_t var_lib_t:dir write;
as a work around I changed the context of /var/lib/postfix to
postfix_etc_t which allows postfix to run.
Regards,
John Griffiths
More information about the fedora-selinux-list
mailing list