-
Bug
-
Resolution: Won't Do
-
Minor
-
CentOS Stream 9
-
None
-
None
-
None
-
1
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
False
-
-
None
-
CY24Q2
-
None
-
None
-
x86_64
-
None
What were you trying to do that didn't work?
Hi guys.
Perhaps introduction of new sebools could be a saviour, for these:
SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file /var/spool/postfix/pipe:[4675943]. For complete SELinux messages run: sealert -l 66b3add6-9242-49ce-b1e1-d84038ce749a
SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file fifo_file. For complete SELinux messages run: sealert -l 51a4b053-c7cc-43aa-8631-b46554d906fb
...
-
-
-
-
- Plugin leaks (86.2 confidence) suggests *****************************
-
-
-
If you want to ignore postdrop trying to write access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
- ausearch -x /usr/sbin/postdrop --raw | audit2allow -D -M my-postdrop
- semodule -X 300 -i my-postdrop.pp
-
-
-
-
- Plugin catchall (14.7 confidence) suggests **************************
-
-
-
If you believe that postdrop should be allowed write access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- ausearch -c 'postdrop' --raw | audit2allow -M my-postdrop
- semodule -X 300 -i my-postdrop.pp
Additional Information:
Source Context system_u:system_r:postfix_postdrop_t:s0
Target Context system_u:system_r:cluster_t:s0
Target Objects fifo_file [ fifo_file ]
Source postdrop
Source Path /usr/sbin/postdrop
Port <Unknown>
Host dzien.mine.priv
Source RPM Packages postfix-3.5.9-24.el9.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.27-1.el9.noarch
Local Policy RPM selinux-policy-targeted-38.1.27-1.el9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dzien.mine.priv
Platform Linux dzien.mine.priv 5.14.0-391.el9.x86_64 #1 SMP
PREEMPT_DYNAMIC Tue Nov 28 20:35:49 UTC 2023
x86_64 x86_64
Alert Count 13525
First Seen 2023-12-07 12:18:08 CET
Last Seen 2023-12-13 15:17:11 CET
Local ID 51a4b053-c7cc-43aa-8631-b46554d906fb
Raw Audit Messages
type=AVC msg=audit(1702477031.549:25310): avc: denied { write } for pid=469848 comm="postdrop" path="pipe:[1449476]" dev="pipefs" ino=1449476 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=fifo_file permissive=0
type=SYSCALL msg=audit(1702477031.549:25310): arch=x86_64 syscall=execve success=yes exit=0 a0=55b22cc69270 a1=55b22cc692a0 a2=55b22cc68770 a3=55b22cc6b940 items=0 ppid=469847 pid=469848 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm=postdrop exe=/usr/sbin/postdrop subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
Hash: postdrop,postfix_postdrop_t,cluster_t,fifo_file,write
perhaps even more - should be easy to reproduce
Please provide the package NVR for which bug is seen:
selinux-policy-38.1.27-1.el9.noarch