postfix trying to access /boot AVC

Brian Chadwick brian at brianac.com.au
Mon Mar 2 11:17:56 UTC 2009 

Hi,

This is happening after the last round of F10 updates involving postfix.

postfix-2.5.6-1.fc10.i386.rpm

selinux-policy-targeted-3.5.13-45.fc10.noarch.rpm


Summary:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /boot (boot_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by smtpd. It is not expected that this
access is
required by smtpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore
the default system file context for /boot,

restorecon -v '/boot'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access -
see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:boot_t:s0
Target Objects                /boot [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          admin.brianac.com.au
Source RPM Packages           postfix-2.5.6-1.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-45.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     admin.brianac.com.au
Platform                      Linux admin.brianac.com.au
                              2.6.27.15-170.2.24.fc10.i686.PAE #1 SMP
Wed Feb 11
                              23:35:37 EST 2009 i686 athlon
Alert Count                   294
First Seen                    Thu 26 Feb 2009 20:46:08 EST
Last Seen                     Mon 02 Mar 2009 10:46:05 EST
Local ID                      cbf2bcef-ae64-4d65-bd35-e8226a7d35a1
Line Numbers

Raw Audit Messages

node=admin.brianac.com.au type=AVC msg=audit(1235954765.372:3918): avc:
denied  { getattr } for  pid=11567 comm="smtpd" path="/boot" dev=sda2
ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=admin.brianac.com.au type=SYSCALL msg=audit(1235954765.372:3918):
arch=40000003 syscall=195 success=yes exit=0 a0=bfe00176 a1=bfe0056c
a2=811ff4 a3=bfe0017c items=0 ppid=2421 pid=11567 auid=4294967295 uid=89
gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none)
ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd"
subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

More information about the fedora-selinux-list mailing list