View Issue Details

IDProjectCategoryView StatusLast Update
0017042CentOS-8selinux-policypublic2020-02-12 18:52
Reporterstern Assigned To 
Status newResolutionopen 
Platformx86_64OSCentOSOS Version8.1
Product Version8.1.1911 
Summary0017042: SElinux targeted policy prevents Qmail from working
DescriptionThis is using the selinux-policy-targeted-3.14.3-20.el8.noarch package.

After installing a home-brewed qmail package, I got the following AVCs (in permissive mode):

type=AVC msg=audit(1581527805.029:796): avc: denied { read } for pid=17490 comm="qmail-clean" name="intd" dev="md5" ino=131688 scontext=system_u:system_r:qmail_clean_t:s0 tcontext=system_u:object_r:qmail_spool_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1581527805.074:797): avc: denied { search } for pid=17923 comm="qmail-getpw" name="sss" dev="md5" ino=131282 scontext=system_u:system_r:qmail_lspawn_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1581527805.074:797): avc: denied { search } for pid=17923 comm="qmail-getpw" name="mc" dev="md5" ino=132152 scontext=system_u:system_r:qmail_lspawn_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1581527805.074:798): avc: denied { write } for pid=17923 comm="qmail-getpw" name="nss" dev="md5" ino=131197 scontext=system_u:system_r:qmail_lspawn_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1581527805.074:798): avc: denied { connectto } for pid=17923 comm="qmail-getpw" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:qmail_lspawn_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
Steps To ReproduceAlthough the qmail package is home-brewed, it arranges everything in accordance with the policy's expectations. The access violations occur whenever an email message is sent or received.
Additional InformationThe first AVC looks like a simple oversight in the policy: The qmail-clean program needs to access qmail's intd directory.

The other AVCs arise from qmail-getpw calling the standard getpwnam(3) routine on a system using SSSD. This is something it needs to do. Is there a standard way of allowing a program running in a particular context to use getpwnam()? Whatever it is, this should be allowed in the policy.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-02-12 18:52 stern New Issue