postfix fifo file

Mon Apr 13 11:36:22 UTC 2009

On 04/10/2009 09:27 AM, Craig White wrote:
> On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote:
>> On 04/09/2009 11:44 AM, Craig White wrote:
>>> This is from a newly setup CentOS 5.3 server...and I definitely don't
>>> understand what it's wanting to make it happy.
>>>
>>> # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83
>>>
>>> Summary:
>>>
>>> SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe
>>> (crond_t).
>>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux denied access requested by postfix-script. It is not expected
>>> that this access is required by postfix-script and this access may
>>> signal an intrusion attempt. It is also possible that the specific
>>> version or configuration of the application is causing it to require
>>> additional access.
>>>
>>> Allowing Access:
>>>
>>> You can generate a local policy module to allow this access - see FAQ
>>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>> disable SELinux protection altogether. Disabling SELinux protection is
>>> not recommended.
>>> Please file a bug report
>>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>> against this package.
>>>
>>> Additional Information:
>>>
>>> Source Context                user_u:system_r:postfix_master_t
>>> Target Context
>>> system_u:system_r:crond_t:SystemLow-SystemHigh
>>> Target Objects                pipe [ fifo_file ]
>>> Source                        postfix-script
>>> Source Path                   /bin/bash
>>> Port<Unknown>
>>> Host                          srv1.azapple.com
>>> Source RPM Packages           bash-3.2-24.el5
>>> Target RPM Packages
>>> Policy RPM                    selinux-policy-2.4.6-203.el5
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> MLS Enabled                   True
>>> Enforcing Mode                Permissive
>>> Plugin Name                   catchall
>>> Host Name                     srv1.azapple.com
>>> Platform                      Linux srv1.azapple.com 2.6.18-128.1.1.el5
>>> #1 SMP
>>>                                 Wed Mar 25 18:15:30 EDT 2009 i686 i686
>>> Alert Count                   8
>>> First Seen                    Thu Apr  2 04:34:40 2009
>>> Last Seen                     Thu Apr  9 04:17:20 2009
>>> Local ID                      6208be6e-3fb4-4748-80e8-769687066b83
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc:
>>> denied  { ioctl } for  pid=11778 comm="postfix-script"
>>> path="pipe:[1634010]" dev=pipefs ino=1634010
>>> scontext=user_u:system_r:postfix_master_t:s0
>>> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
>>>
>>> host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152):
>>> arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40
>>> a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212
>>> comm="postfix-script" exe="/bin/bash"
>>> subj=user_u:system_r:postfix_master_t:s0 key=(null)
>>>
>>>
>>>
>> This look like postfix trying to communicate with the pipe from cron
>> (stdout).  Current policy allows read/write/getattr but no ioctl.
>>
>> You can add this access via
>> # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix
>> # semodule -i mypostfix.pp
>>
>> I will add this fix to RHEL5.4 policy, Preview should be available on
>>
>> http://people.redhat.com/dwalsh/SELinux/RHEL5
>>
>> selinux-policy-2.4.6-223.el5
> ----
> Thanks, will do.
>
> I take it then that the admonition to file a bugzilla report is not
> necessary?
>
> Craig
>
>
Yes don't bother, I will fix it.