selinux prevents postfix from reading the attributes of /rhnsat
Issue
- Seeing SELinux denial messages in /var/log/messages:
Oct 21 23:00:05 satellite setroubleshoot: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat (oracle_dir_t). For complete SELinux messages. run sealert -l 74e3fd16-115b-4f53-9981-4ad19d31f808
- Full description of the denial:
[root@satellite ~]# sealert -l 74e3fd16-115b-4f53-9981-4ad19d31f808
Summary:
SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat
(oracle_dir_t).
Detailed Description:
SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /rhnsat,
restorecon -v '/rhnsat'
If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:postfix_smtpd_t
Target Context system_u:object_r:oracle_dir_t
Target Objects /rhnsat [ dir ]
Source smtpd
Source Path /usr/libexec/postfix/smtpd
Port <Unknown>
Host satellite.example.com
Source RPM Packages postfix-2.3.3-2.3.el5_6
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall_file
Host Name satellite.example.com
Platform Linux satellite.example.com 2.6.18-274.el5
#1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64
Alert Count 11
First Seen Tue Jul 19 23:00:02 2011
Last Seen Mon Aug 15 23:00:02 2011
Local ID 74e3fd16-115b-4f53-9981-4ad19d31f808
Line Numbers
Raw Audit Messages
host=satellite.example.com type=AVC msg=audit(1313445602.52:530): avc: denied { getattr } for pid=23469 comm="smtpd" path="/rhnsat" dev=dm-7 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:oracle_dir_t:s0 tclass=dir
host=satellite.example.com type=SYSCALL msg=audit(1313445602.52:530): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2bd6b530 a1=7fff2bd6b920 a2=7fff2bd6b920 a3=0 items=0 ppid=2578 pid=23469 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
Environment
- Red Hat Network Satellite 5.4.1 on Red Hat Enterprise Linux 5
- Using postfix for email services
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.