selinux prevents postfix from reading the attributes of /rhnsat

Solution Unverified - Updated -

Issue

  • Seeing SELinux denial messages in /var/log/messages:
Oct 21 23:00:05 satellite setroubleshoot: SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat (oracle_dir_t). For complete SELinux messages. run sealert -l 74e3fd16-115b-4f53-9981-4ad19d31f808  
  • Full description of the denial:
[root@satellite ~]# sealert -l 74e3fd16-115b-4f53-9981-4ad19d31f808

Summary:

SELinux is preventing smtpd (postfix_smtpd_t) "getattr" to /rhnsat
(oracle_dir_t).

Detailed Description:

SELinux denied access requested by smtpd. It is not expected that this access is
required by smtpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /rhnsat,

restorecon -v '/rhnsat'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:postfix_smtpd_t
Target Context                system_u:object_r:oracle_dir_t
Target Objects                /rhnsat [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          satellite.example.com
Source RPM Packages           postfix-2.3.3-2.3.el5_6
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     satellite.example.com
Platform                      Linux satellite.example.com 2.6.18-274.el5
                              #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64
Alert Count                   11
First Seen                    Tue Jul 19 23:00:02 2011
Last Seen                     Mon Aug 15 23:00:02 2011
Local ID                      74e3fd16-115b-4f53-9981-4ad19d31f808
Line Numbers                  

Raw Audit Messages            

host=satellite.example.com type=AVC msg=audit(1313445602.52:530): avc:  denied  { getattr } for  pid=23469 comm="smtpd" path="/rhnsat" dev=dm-7 ino=2 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:oracle_dir_t:s0 tclass=dir

host=satellite.example.com type=SYSCALL msg=audit(1313445602.52:530): arch=c000003e syscall=4 success=no exit=-13 a0=7fff2bd6b530 a1=7fff2bd6b920 a2=7fff2bd6b920 a3=0 items=0 ppid=2578 pid=23469 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)

Environment

  • Red Hat Network Satellite 5.4.1 on Red Hat Enterprise Linux 5
  • Using postfix for email services

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content