Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-46327

[rhel-10] SELinux prevents Postfix from mapping LMDB databases

    • selinux-policy-40.13.7-1.el10
    • None
    • None
    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Unspecified Release Note Type - Unknown
    • None

      What were you trying to do that didn't work?

      Please provide the package NVR for which bug is seen:

      postfix-3.8.5-3.el10.x86_64.rpm

      postfix-lmdb-3.8.5-3.el10.x86_64.rpm

      selinux-policy-40.13.3-2.el10.noarch

       

      How reproducible:

      always

      Steps to reproduce

      1. get a RHEL-10 machine
      2. run the following automated test:
        /CoreOS/postfix/Sanity/bodycheck (https://src.fedoraproject.org/tests/postfix/blob/main/f/Sanity/bodycheck)

      Expected results

      the automated test passes without AVCs

      Actual results

      the automated test fails with AVCs

      ----
      type=PROCTITLE msg=audit(07/23/2024 03:31:57.002:364) : proctitle=smtpd -n smtp -t inet -u -o stress= -s 2 
      type=MMAP msg=audit(07/23/2024 03:31:57.002:364) : fd=13 flags=MAP_SHARED 
      type=SYSCALL msg=audit(07/23/2024 03:31:57.002:364) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=5882 pid=5993 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) 
      type=AVC msg=audit(07/23/2024 03:31:57.002:364) : avc:  denied  { map } for  pid=5993 comm=smtpd path=/etc/postfix/virtual.lmdb dev="vda2" ino=506517 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=0 
      ----
      type=PROCTITLE msg=audit(07/23/2024 03:31:57.003:365) : proctitle=smtpd -n smtp -t inet -u -o stress= -s 2 
      type=MMAP msg=audit(07/23/2024 03:31:57.003:365) : fd=13 flags=MAP_SHARED 
      type=SYSCALL msg=audit(07/23/2024 03:31:57.003:365) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=5882 pid=5993 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) 
      type=AVC msg=audit(07/23/2024 03:31:57.003:365) : avc:  denied  { map } for  pid=5993 comm=smtpd path=/etc/postfix/vmailbox.lmdb dev="vda2" ino=506523 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=0 
      ----
      type=PROCTITLE msg=audit(07/23/2024 03:31:57.008:366) : proctitle=trivial-rewrite -n rewrite -t unix -u 
      type=MMAP msg=audit(07/23/2024 03:31:57.008:366) : fd=8 flags=MAP_SHARED 
      type=SYSCALL msg=audit(07/23/2024 03:31:57.008:366) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=5882 pid=5995 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=trivial-rewrite exe=/usr/libexec/postfix/trivial-rewrite subj=system_u:system_r:postfix_master_t:s0 key=(null) 
      type=AVC msg=audit(07/23/2024 03:31:57.008:366) : avc:  denied  { map } for  pid=5995 comm=trivial-rewrite path=/etc/postfix/virtual.lmdb dev="vda2" ino=506517 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:postfix_etc_t:s0 tclass=file permissive=0 
      ----
      

              rhn-support-zpytela Zdenek Pytela
              rhn-support-fhrdina Frantisek Hrdina
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: