mailq.postfix.gz.1 incorrectly labeled in FC6T1
Paul Howarth
paul at city-fan.org
Fri Jul 14 14:59:42 UTC 2006
James Antill wrote:
> On Fri, 2006-07-14 at 07:59 +0100, Paul Howarth wrote:
>> On Thu, 2006-07-13 at 19:44 -0500, Jay Cliburn wrote:
>>> After installing postfix under FC6T1, I kept getting this avc:
>>>
>>> audit(1152836951.218:8): avc: denied { getattr } for pid=3130
>>> comm="sh" name="mailq.postfix.1.gz" dev=dm-0 ino=1084752
>>> scontext=user_u:system_r:postfix_master_t:s0
>>> tcontext=system_u:object_r:man_t:s0 tclass=file
>>>
>>> It's a manpage and it looks to me like it came from the factory labeled
>>> incorrectly. A chcon to system_u:object_r:man_t seems to have fixed it.
>> This has been seen before on FC5:
>>
>> http://www.redhat.com/archives/fedora-selinux-list/2006-June/msg00021.html
>>
>> It appears to happen when postfix is started. The AVC suggests that the
>> manpage already has the correct context, and the strange thing is that
>> the postfix master program is tying to access it (why should that be?).
>
> AIUI postfix looks for where the documentation is for error messages to
> the user (Ie. look at the documentation at X to help solve problem Y).
Excellent! A sane explanation :-)
I suggest adding the following to the postfix policy:
# Postfix master process looking for its man pages so that it can refer
# to them in error messages
# (e.g. look at the documentation at X to help solve problem Y)
miscfiles_read_man_pages(postfix_master_t)
Paul.
More information about the fedora-selinux-list
mailing list