Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19380

When PCS/HA runs systemd:postfix.service agent, there are SElinux issues

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • rhel-9.6
    • CentOS Stream 9
    • selinux-policy
    • None
    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • CY24Q2
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Hi guys.

      Perhaps introduction of new sebools could be a saviour, for these:

      SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file /var/spool/postfix/pipe:[4675943]. For complete SELinux messages run: sealert -l 66b3add6-9242-49ce-b1e1-d84038ce749a

      SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file fifo_file. For complete SELinux messages run: sealert -l 51a4b053-c7cc-43aa-8631-b46554d906fb

      ...

              •  Plugin leaks (86.2 confidence) suggests   *****************************

      If you want to ignore postdrop trying to write access the fifo_file fifo_file, because you believe it should not need this access.
      Then you should report this as a bug.  
      You can generate a local policy module to dontaudit this access.
      Do

      1. ausearch -x /usr/sbin/postdrop --raw | audit2allow -D -M my-postdrop
      2. semodule -X 300 -i my-postdrop.pp
              •  Plugin catchall (14.7 confidence) suggests   **************************

      If you believe that postdrop should be allowed write access on the fifo_file fifo_file by default.
      Then you should report this as a bug.
      You can generate a local policy module to allow this access.
      Do
      allow this access for now by executing:

      1. ausearch -c 'postdrop' --raw | audit2allow -M my-postdrop
      2. semodule -X 300 -i my-postdrop.pp

      Additional Information:
      Source Context                system_u:system_r:postfix_postdrop_t:s0
      Target Context                system_u:system_r:cluster_t:s0
      Target Objects                fifo_file [ fifo_file ]
      Source                        postdrop
      Source Path                   /usr/sbin/postdrop
      Port                          <Unknown>
      Host                          dzien.mine.priv
      Source RPM Packages           postfix-3.5.9-24.el9.x86_64
      Target RPM Packages           
      SELinux Policy RPM            selinux-policy-targeted-38.1.27-1.el9.noarch
      Local Policy RPM              selinux-policy-targeted-38.1.27-1.el9.noarch
      Selinux Enabled               True
      Policy Type                   targeted
      Enforcing Mode                Enforcing
      Host Name                     dzien.mine.priv
      Platform                      Linux dzien.mine.priv 5.14.0-391.el9.x86_64 #1 SMP
                                    PREEMPT_DYNAMIC Tue Nov 28 20:35:49 UTC 2023
                                    x86_64 x86_64
      Alert Count                   13525
      First Seen                    2023-12-07 12:18:08 CET
      Last Seen                     2023-12-13 15:17:11 CET
      Local ID                      51a4b053-c7cc-43aa-8631-b46554d906fb

      Raw Audit Messages
      type=AVC msg=audit(1702477031.549:25310): avc:  denied  { write } for  pid=469848 comm="postdrop" path="pipe:[1449476]" dev="pipefs" ino=1449476 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=fifo_file permissive=0

      type=SYSCALL msg=audit(1702477031.549:25310): arch=x86_64 syscall=execve success=yes exit=0 a0=55b22cc69270 a1=55b22cc692a0 a2=55b22cc68770 a3=55b22cc6b940 items=0 ppid=469847 pid=469848 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm=postdrop exe=/usr/sbin/postdrop subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

      Hash: postdrop,postfix_postdrop_t,cluster_t,fifo_file,write

       

      perhaps even more - should be easy to reproduce

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.27-1.el9.noarch

      How reproducible:

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

      Actual results

              rhn-support-zpytela Zdenek Pytela
              lejeczek Paweł Eljasz (Inactive)
              Nikola Kňažeková Nikola Kňažeková (Inactive)
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: