oddity with postfix delivering to homedir

Manuel Wolfshant wolfy at nobugconsulting.ro
Tue Feb 17 13:36:26 UTC 2009 

Dominick Grift wrote:
> On Tue, 2009-02-17 at 14:27 +0200, Manuel Wolfshant wrote:
>
>   
>>     My questions are
>> a) why does postfix create the initial home directories with a wrong 
>> context ? Note this only happens for NEW users, messages for the users 
>> which already existed [and have correct context] on the old system are 
>> perfectly fine.
>>     
>
> I think it has to do with the way genhomedircon works. Since postfix is
> the owner and is a system account. I am not sure. Hopefully someone else
> can shed some light on this.
>
>   
>> b) what can I do to fix ?
>>     
>
> I think that restorecond should fix this. Is it running? and is /home
> added to restorecond.conf?
>   

restorecond was (and is) running. /home was not included in restorecond.conf, but even after adding it (and reload/restart /etc/init.d/restorecond) there is no change

As additional info, /var/log/messages has:
Feb 17 15:30:12 imap2 setroubleshoot: SELinux is preventing virtual (postfix_virtual_t) "write" to /home/gigi.test at nobugconsulting.ro/tmp/1234877410.P4488.imap2 (home_root_t). For complete SELinux messages. run sealert -l 0bc7c6e1-96d8-4f59-bcac-a11fbc699e2a
Feb 17 15:30:12 imap2 setroubleshoot: SELinux is preventing virtual (postfix_virtual_t) "remove_name" to ./1234877410.P4488.imap2 (home_root_t). For complete SELinux messages. run sealert -l 51b63565-8a4d-494e-808b-d235cbdd5683
Feb 17 15:30:12 imap2 setroubleshoot: SELinux is preventing virtual (postfix_virtual_t) "write" to ./1234877410.P4488.imap2 (home_root_t). For complete SELinux messages. run sealert -l 54d85276-b21c-4753-9937-afb48373c326

not surprisingly, sealert -l gives "SELinux is preventing virtual (postfix_virtual_t) "write" to /home/gigi.test at nobugconsulting.ro/tmp/1234877410.P4488.imap2 (home_root_t)."

Additional Information:

Source Context                root:system_r:postfix_virtual_t
Target Context                root:object_r:home_root_t
Target Objects                /home/gigi.test at nobugconsulting.ro/tmp/1234877410.
                              P4488.imap2 [ file ]
Source                        virtual
Source Path                   /usr/libexec/postfix/virtual
Port                          <Unknown>
Host                          imap2
Source RPM Packages           postfix-2.3.3-2.1.centos.mysql_pgsql
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     imap2
Platform                      Linux imap2 2.6.18-92.1.22.el5xen #1 SMP Tue Dec
                              16 12:26:32 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Tue Feb 17 15:30:10 2009
Last Seen                     Tue Feb 17 15:30:10 2009
Local ID                      0bc7c6e1-96d8-4f59-bcac-a11fbc699e2a
Line Numbers

Raw Audit Messages

host=imap2 type=AVC msg=audit(1234877410.37:45680): avc:  denied  { write } for  pid=4488 comm="virtual" path="/home/gigi.test at nobugconsulting.ro/tmp/1234877410.P4488.imap2" dev=hda1 ino=29982723 scontext=root:system_r:postfix_virtual_t:s0 tcontext=root:object_r:home_root_t:s0 tclass=file

host=imap2 type=SYSCALL msg=audit(1234877410.37:45680): arch=c000003e syscall=1 success=no exit=-13 a0=c a1=2b06b8c9f520 a2=1b5 a3=7228206f722e676e items=0 ppid=26787 pid=4488 auid=0 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=7290 comm="virtual" exe="/usr/libexec/postfix/virtual" subj=root:system_r:postfix_virtual_t:s0 key=(null)

More information about the fedora-selinux-list mailing list