[rhelv6-list] Selinux and postfix vs script in .forward

Brian Wheeler bdwheele at indiana.edu
Thu Aug 30 15:37:39 UTC 2012 

I've got a user who wants to run a script specified in their .forward file:

.forward (USER.USER 0664)
=============
|/home/USER/Code/forwardbuildresults.sh
=============

The script seems to be correct as well:
-rwxrwxr-x. USER USER system_u:object_r:nfs_t:s0 
/home/USER/Code/forwardbuildresults.sh


but when he tries to catch the mail, this shows up in maillog:
Aug 30 11:29:49 pine postfix/local[29020]: 54A6976B: to=<USER at pine>, 
relay=local, delay=537, delays=537/0.02/0/0.02, dsn=4.3.0, 
status=deferred (temporary failure. Command output: local: fatal: execvp 
/home/USER/Code/forwardbuildresults.sh: Permission denied )

and this shows up in /var/log/messages:
Aug 30 11:29:53 pine setroubleshoot: SELinux is preventing 
/usr/libexec/postfix/local from execute access on the file 
forwardbuildresults.sh. For complete SELinux messages. run sealert -l 
a97ab991-717f-43bb-a990-1017bca686e9

sealert is pretty worthless in this case:
===============================
SELinux is preventing /usr/libexec/postfix/local from execute access on 
the file forwardbuildresults.sh.

*****  Plugin leaks (86.2 confidence) suggests 
******************************

If you want to ignore local trying to execute access the 
forwardbuildresults.sh file, because you believe it should not need this 
access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/postfix/local /var/log/audit/audit.log | audit2allow 
-D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests 
***************************

If you believe that local should be allowed execute access on the 
forwardbuildresults.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep local /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
==================================

since the file resides on nfs there isn't any way to reset the context 
type...is there a magic setting for postfix that will let this go through?

Brian

More information about the rhelv6-list mailing list