[DSE-Dev] Bug#689952: selinux-policy-default: Postfix SELinux errors: warning: mail_queue_enter: create file maildrop/XXX: Permission denied

Mathieu Parent math.parent at gmail.com
Mon Oct 8 10:00:40 UTC 2012 

Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Severity: important

This similar to #659183 and #599053.

Postfix is not working properly and fills the "mail.log" with:
(...)
Oct  8 11:49:03 uvinct178 postfix/postdrop[19410]: warning:
mail_queue_enter: create file maildrop/841907.19410: Permission denied
Oct  8 11:49:03 uvinct178 postfix/postdrop[20901]: warning:
mail_queue_enter: create file maildrop/842142.20901: Permission denied
Oct  8 11:49:03 uvinct178 postfix/postdrop[18905]: warning:
mail_queue_enter: create file maildrop/851095.18905: Permission denied
Oct  8 11:49:04 uvinct178 postfix/postdrop[2200]: warning:
mail_queue_enter: create file maildrop/3390.2200: Permission denied
Oct  8 11:49:04 uvinct178 postfix/postdrop[20395]: warning:
mail_queue_enter: create file maildrop/3594.20395: Permission denied
Oct  8 11:49:04 uvinct178 postfix/postdrop[20651]: warning:
mail_queue_enter: create file maildrop/3814.20651: Permission denied

The corresponding audit log is:
(...)
[234198.945293] type=1400 audit(1349689808.647:1518134): avc:  denied
{ write } for  pid=6288 comm="postdrop" name="maildrop" dev=dm-4
ino=15869 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
[234198.945387] type=1400 audit(1349689808.647:1518135): avc:  denied
{ write } for  pid=5277 comm="postdrop" name="maildrop" dev=dm-4
ino=15869 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
[234198.945502] type=1400 audit(1349689808.647:1518136): avc:  denied
{ write } for  pid=3510 comm="postdrop" name="maildrop" dev=dm-4
ino=15869 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
[234198.945773] type=1400 audit(1349689808.647:1518137): avc:  denied
{ write } for  pid=7049 comm="postdrop" name="maildrop" dev=dm-4
ino=15869 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

Files are properly tagged (I relabelled after postfix install, and
"restorecon -R -v /var/spool/postfix" prints nothing).

Process are in the right context.

Audit2allow suggests a reasonable permission:
allow system_mail_t var_spool_t:dir write;

It seems that some module is not loaded, but I don't know how to check...


-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules        1.1.1-6.1+squeeze1 Pluggable Authentication Modules f
ii  libselinux1           2.0.96-1           SELinux runtime shared libraries
ii  libsepol1             2.0.41-1           SELinux library for manipulating b
ii  policycoreutils       2.0.82-3           SELinux core policy utilities
ii  python                2.6.6-3+squeeze7   interactive high-level object-orie

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.22-1   SELinux policy compiler
pn  setools                       <none>     (no description available)

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local changed:
/var/local/log/apache2(/.*)?    system_u:object_r:httpd_log_t:s0
/usr/local/share/cadenas(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/local/log/apache2/cadenas(/.*)?    system_u:object_r:httpd_log_t:s0
/usr/local/share/http_cadenas(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/local/log/apache2/https_cadenas(/.*)?    system_u:object_r:httpd_log_t:s0
/usr/local/share/https_cadenas(/.*)?    system_u:object_r:httpd_sys_content_t:s0
/var/local/log/apache2/http_cadenas(/.*)?    system_u:object_r:httpd_log_t:s0
/usr/lib/oracle/10.2.0.4/client64/lib/lib.*\.so(\.[^/]*)*
system_u:object_r:texrel_shlib_t:s0
/var/local/lib/apache2/mod_security(/.*)?    system_u:object_r:httpd_t:s0
/var/lib/php5(/.*)?    system_u:object_r:httpd_var_run_t:s0
/etc/local/crypto/apache2-config(/.*)?    system_u:object_r:httpd_config_t:s0
/etc/local/crypto    system_u:object_r:mnt_t:s0


-- no debconf information

More information about the SELinux-devel mailing list