postfix fifo file

Craig White craigwhite at azapple.com
Fri Apr 10 13:27:25 UTC 2009 

On Fri, 2009-04-10 at 07:15 -0400, Daniel J Walsh wrote:
> On 04/09/2009 11:44 AM, Craig White wrote:
> > This is from a newly setup CentOS 5.3 server...and I definitely don't
> > understand what it's wanting to make it happy.
> >
> > # sealert -l 6208be6e-3fb4-4748-80e8-769687066b83
> >
> > Summary:
> >
> > SELinux is preventing postfix-script (postfix_master_t) "ioctl" to pipe
> > (crond_t).
> >
> > Detailed Description:
> >
> > [SELinux is in permissive mode, the operation would have been denied but
> > was permitted due to permissive mode.]
> >
> > SELinux denied access requested by postfix-script. It is not expected
> > that this access is required by postfix-script and this access may
> > signal an intrusion attempt. It is also possible that the specific
> > version or configuration of the application is causing it to require
> > additional access.
> >
> > Allowing Access:
> >
> > You can generate a local policy module to allow this access - see FAQ
> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> > disable SELinux protection altogether. Disabling SELinux protection is
> > not recommended.
> > Please file a bug report
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > against this package.
> >
> > Additional Information:
> >
> > Source Context                user_u:system_r:postfix_master_t
> > Target Context
> > system_u:system_r:crond_t:SystemLow-SystemHigh
> > Target Objects                pipe [ fifo_file ]
> > Source                        postfix-script
> > Source Path                   /bin/bash
> > Port<Unknown>
> > Host                          srv1.azapple.com
> > Source RPM Packages           bash-3.2-24.el5
> > Target RPM Packages
> > Policy RPM                    selinux-policy-2.4.6-203.el5
> > Selinux Enabled               True
> > Policy Type                   targeted
> > MLS Enabled                   True
> > Enforcing Mode                Permissive
> > Plugin Name                   catchall
> > Host Name                     srv1.azapple.com
> > Platform                      Linux srv1.azapple.com 2.6.18-128.1.1.el5
> > #1 SMP
> >                                Wed Mar 25 18:15:30 EDT 2009 i686 i686
> > Alert Count                   8
> > First Seen                    Thu Apr  2 04:34:40 2009
> > Last Seen                     Thu Apr  9 04:17:20 2009
> > Local ID                      6208be6e-3fb4-4748-80e8-769687066b83
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > host=srv1.azapple.com type=AVC msg=audit(1239275840.489:3152): avc:
> > denied  { ioctl } for  pid=11778 comm="postfix-script"
> > path="pipe:[1634010]" dev=pipefs ino=1634010
> > scontext=user_u:system_r:postfix_master_t:s0
> > tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> >
> > host=srv1.azapple.com type=SYSCALL msg=audit(1239275840.489:3152):
> > arch=40000003 syscall=54 success=no exit=-22 a0=0 a1=5401 a2=bfc30d40
> > a3=bfc30e4c items=0 ppid=11761 pid=11778 auid=0 uid=0 gid=0 euid=0
> > suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=212
> > comm="postfix-script" exe="/bin/bash"
> > subj=user_u:system_r:postfix_master_t:s0 key=(null)
> >
> >
> >
> This look like postfix trying to communicate with the pipe from cron 
> (stdout).  Current policy allows read/write/getattr but no ioctl.
> 
> You can add this access via
> # grep postfix /var/log/audit/audit.log | audit2allow -mypostfix
> # semodule -i mypostfix.pp
> 
> I will add this fix to RHEL5.4 policy, Preview should be available on
> 
> http://people.redhat.com/dwalsh/SELinux/RHEL5
> 
> selinux-policy-2.4.6-223.el5
----
Thanks, will do.

I take it then that the admonition to file a bugzilla report is not
necessary?

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the fedora-selinux-list mailing list