postfix, procmail and SELinux - No Go

Wed Jun 21 18:57:38 UTC 2006

On Wed, 2006-06-21 at 18:33 +0100, Paul Howarth wrote:
> Marc Schwartz (via MN) wrote:
> >> Can you try restarting postfix? I think the manpage thing happened at 
> >> that point.
> > 
> > Interesting. Recalling that, I had re-booted before my reply above and
> > had no msgs. However doing a service restart post-boot using
> > system-config-services, I get:
> > 
> > type=AVC msg=audit(1150906621.693:641): avc:  denied  { read } for  pid=12784 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
> > type=SYSCALL msg=audit(1150906621.693:641): arch=40000003 syscall=11 success=yes exit=0 a0=9e14f80 a1=9dfb478 a2=9e14f98 a3=9e14e68 items=2 pid=12784 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
> > type=AVC_PATH msg=audit(1150906621.693:641):  path="/root/.rh-fontconfig/.fonts.cache-2"
> > type=CWD msg=audit(1150906621.693:641):  cwd="/"
> > type=PATH msg=audit(1150906621.693:641): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > type=PATH msg=audit(1150906621.693:641): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1150906621.829:642): avc:  denied  { read } for  pid=12796 comm="postfix" name=".fonts.cache-2" dev=hdc7 ino=427877 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
> > type=SYSCALL msg=audit(1150906621.829:642): arch=40000003 syscall=11 success=yes exit=0 a0=9e15318 a1=9e00e50 a2=9e14f98 a3=9e14d00 items=2 pid=12796 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postfix" exe="/usr/sbin/postfix"
> > type=AVC_PATH msg=audit(1150906621.829:642):  path="/root/.rh-fontconfig/.fonts.cache-2"
> > type=CWD msg=audit(1150906621.829:642):  cwd="/"
> > type=PATH msg=audit(1150906621.829:642): item=0 name="/usr/sbin/postfix" flags=101  inode=3132499 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > type=PATH msg=audit(1150906621.829:642): item=1 flags=101  inode=754491 dev=16:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > 
> > Which seems to not involve the man pages, but font caches for some
> > reason.
> 
> That's just completely weird. I wonder if it's a filehandle left open 
> from somewhere. I wonder how to diagnose this further? Since the types 
> aren't consistent, they can't even be dontaudit-ed. I trust nothing has 
> broken anyway?

I don't see any evidence of other problems at this point.  The above
seems to be specifically related to the use of system-config-services,
so perhaps there is some gtk interaction going on. At the CLI, there do
not appear to be problems.

I have no clue otherwise.

> >> Once that's done I'd like to try out the dcc and razor modules that are 
> >> now in rawhide. That will involve going back to permissive mode for a 
> >> while though.
> 
> OK, I've attached the dcc and razor policy files from the current FC5 
> selinux-policy package. Try installing those, put selinux in permissive 
> mode, do a restorecon on all of your dcc and razor files/directories and 
> see what happens.
> 
> Paul.

Just to be clear, I should leave or remove the mydcc policy?

Marc