[rhelv6-list] Selinux and postfix vs script in .forward
Brian Wheeler
bdwheele at indiana.edu
Thu Aug 30 15:37:39 UTC 2012
I've got a user who wants to run a script specified in their .forward file:
.forward (USER.USER 0664)
=============
|/home/USER/Code/forwardbuildresults.sh
=============
The script seems to be correct as well:
-rwxrwxr-x. USER USER system_u:object_r:nfs_t:s0
/home/USER/Code/forwardbuildresults.sh
but when he tries to catch the mail, this shows up in maillog:
Aug 30 11:29:49 pine postfix/local[29020]: 54A6976B: to=<USER at pine>,
relay=local, delay=537, delays=537/0.02/0/0.02, dsn=4.3.0,
status=deferred (temporary failure. Command output: local: fatal: execvp
/home/USER/Code/forwardbuildresults.sh: Permission denied )
and this shows up in /var/log/messages:
Aug 30 11:29:53 pine setroubleshoot: SELinux is preventing
/usr/libexec/postfix/local from execute access on the file
forwardbuildresults.sh. For complete SELinux messages. run sealert -l
a97ab991-717f-43bb-a990-1017bca686e9
sealert is pretty worthless in this case:
===============================
SELinux is preventing /usr/libexec/postfix/local from execute access on
the file forwardbuildresults.sh.
***** Plugin leaks (86.2 confidence) suggests
******************************
If you want to ignore local trying to execute access the
forwardbuildresults.sh file, because you believe it should not need this
access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/postfix/local /var/log/audit/audit.log | audit2allow
-D -M mypol
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests
***************************
If you believe that local should be allowed execute access on the
forwardbuildresults.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep local /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
==================================
since the file resides on nfs there isn't any way to reset the context
type...is there a magic setting for postfix that will let this go through?
Brian
More information about the rhelv6-list
mailing list