[DSE-Dev] Bug#772486: selinux-policy-default: AVC for postfix

Benoit Friry benoit at friry.net
Sun Dec 7 17:59:56 UTC 2014 

Package: selinux-policy-default
Version: 2:2.20140421-7
Severity: normal

Dear Maintainer,

Postfix is configured as satellite host.

After some time, /var/log/audit/audit.log contains lots of AVC messages.

# grep postfix /var/log/audit/audit.log|grep AVC|cut -d' ' -f'7-'|sed -e 's/ permissive=1$//' -e 's/=unconfined_u:unconfined_r:/=u:u:/g'|sed -e 's/=system_u:system_r:/=s:s:/g' -e 's/for  pid=[0-9]* //' -e 's/ino=[0-9]* //' -e 's/pipe:\[[0-9]*\]/pipe:\[XXX\]/'|sort|uniq -c
      2 { connectto } comm="postdrop" path="/var/spool/postfix/public/pickup" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0 tclass=unix_stream_socket
      1 { getattr } comm="lsof" path="socket:[18785013]" dev="sockfs" scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0 tclass=tcp_socket
      1 { getattr } comm="lsof" path="socket:[18787006]" dev="sockfs" scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0 tclass=unix_dgram_socket
      1 { getattr } comm="lsof" path="socket:[18850823]" dev="sockfs" scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_master_t:s0 tclass=unix_stream_socket
      1 { getattr } comm="lsof" path="socket:[18850886]" dev="sockfs" scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_qmgr_t:s0 tclass=unix_dgram_socket
      1 { getattr } comm="lsof" path="socket:[65454640]" dev="sockfs" scontext=s:s:system_cronjob_t:s0-s0:c0.c1023 tcontext=s:s:postfix_pickup_t:s0 tclass=unix_dgram_socket
      1 { getattr } comm="postdrop" path=2F746D702F746D7066516A67655052202864656C6574656429 dev="tmpfs" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
      1 { getattr } comm="postdrop" path=2F746D702F746D706658684C466C70202864656C6574656429 dev="tmpfs" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
      2 { getattr } comm="postdrop" path="/var/spool/postfix/public/pickup" dev="dm-1" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
     32 { getattr } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
     32 { getattr } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file
      5 { getattr } comm="showq" path="/var/spool/postfix/pid/unix.showq" dev="dm-1" scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
      1 { getattr } comm="userdel" path="/var/spool/postfix" dev="dm-1" scontext=u:u:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:postfix_spool_t:s0 tclass=dir
      5 { lock } comm="showq" path="/pid/unix.showq" dev="dm-1" scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
      5 { open } comm="showq" path="/var/spool/postfix/pid/unix.showq" dev="dm-1" scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
     16 { read } comm="pickup" name="maildrop" dev="dm-1" scontext=s:s:postfix_pickup_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=dir
     31 { read } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
      5 { read } comm="showq" name="maildrop" dev="dm-1" scontext=s:s:postfix_showq_t:s0 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=dir
      1 { read write } comm="postdrop" path=2F746D702F746D7066516A67655052202864656C6574656429 dev="tmpfs" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
      1 { read write } comm="postdrop" path=2F746D702F746D706658684C466C70202864656C6574656429 dev="tmpfs" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crond_tmp_t:s0 tclass=file
      5 { read write } comm="showq" name="unix.showq" dev="dm-1" scontext=s:s:postfix_showq_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
      1 { use } comm="postqueue" path="/dev/pts/2" dev="devpts" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fd
     33 { use } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fd
     12 { write } comm="master" name="pickup" dev="dm-1" scontext=s:s:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file
      5 { write } comm="master" name="qmgr" dev="dm-1" scontext=s:s:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file
      2 { write } comm="postdrop" name="pickup" dev="dm-1" scontext=s:s:postfix_postdrop_t:s0-s0:c0.c1023 tcontext=system_u:object_r:postfix_public_t:s0 tclass=sock_file
      5 { write } comm="postqueue" name="showq" dev="dm-1" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file
     31 { write } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=s:s:sshd_t:s0-s0:c0.c1023 tclass=fifo_file
     37 { write } comm="postqueue" path="pipe:[XXX]" dev="pipefs" scontext=u:u:postfix_postqueue_t:s0-s0:c0.c1023 tcontext=u:u:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file

I ran 'restorecon -R /var/spool/postfix' to ensure correct filesystem
settings.  I don't remember having made any heavy change to Postfix conf.
I'm surprised to see that much of AVC message.  I don't know how to
search where it goes wrong.

Thanks,
Benoit

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.8-2
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
ii  logcheck        1.3.17
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local
/srv/postgresql/([0-9].*)?    system_u:object_r:postgresql_db_t:s0
/srv/log -d system_u:object_r:var_log_t:s0
/srv/log/[-0-9]*.[a-z0-9]*.messages    system_u:object_r:var_log_t:s0

-- no debconf information

More information about the SELinux-devel mailing list