Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 234773 - SELinux - allow Postfix smtpd access to Mailman aliases
Summary: SELinux - allow Postfix smtpd access to Mailman aliases
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Whiteboard: bzcl34nup
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-01 20:30 UTC by Anthony Messina
Modified: 2008-04-08 02:21 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-04-08 02:21:06 UTC

Attachments (Terms of Use)

Description Anthony Messina 2007-04-01 20:30:50 UTC
Description of problem:
Using Postfix, Mailman and SELinux together, I am unable to get Postfix's smtpd
process to read the Mailman aliases or aliases.db in /etc/mailman.

The selinux file type of aliases and aliases.db is mailman_data_t.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Have postfix set up to validate users using /etc/aliases and /etc/mailman/aliases
2. Receive and email
3. Watch audit.log
Actual results:
type=AVC msg=audit(1175458758.616:25054): avc:  denied  { search } for 
pid=27704 comm="smtpd" name="mailman" dev=sda2 ino=6424095
tcontext=system_u:object_r:mailman_data_t:s0 tclass=dir
type=AVC msg=audit(1175458758.616:25054): avc:  denied  { read } for  pid=27704
comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
tcontext=root:object_r:mailman_data_t:s0 tclass=file
type=AVC msg=audit(1175458758.616:25055): avc:  denied  { lock } for  pid=27704
comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
tcontext=root:object_r:mailman_data_t:s0 tclass=file
type=AVC msg=audit(1175458781.810:25061): avc:  denied  { getattr } for 
pid=27704 comm="smtpd" name="aliases.db" dev=sda2 ino=6424286
tcontext=root:object_r:mailman_data_t:s0 tclass=file

Expected results:
Perhaps a boolean (or some other method) should exist to allow Postfix AND
Mailman to access these files.  postfix_access_mailman_aliases

Additional info:
I am currently running in permissive mode becausse of this (and two other things).

Comment 1 Daniel Walsh 2007-04-05 17:49:41 UTC
Fixed in selinux-policy-2.4.6-52.fc6

Comment 2 Anthony Messina 2007-04-05 18:33:47 UTC
Thanks, Dan.  When you say that it is fixed in the future policy, was this
something that you guys were already working on, or did this bug report prompt
you to take a look at it?  I only ask becasue I searched quite a bit for a
resolution to this prior to posting this bug report and couldn't find a solution.

Comment 3 Daniel Walsh 2007-04-09 14:48:53 UTC
The bug report promted me to work on it.  It is pretty difficult to anticipate
all possible ways an app will run, so we rely on bugreports and mail lists to
help fix selinux problems.  THanks for submitting the bug report.

Comment 4 John Villalovos 2007-05-23 05:45:53 UTC
Is this something that is going to get pushed out the RHEL5 too?

I ended up making a module using audit2allow

module postfixmailman 1.0;

require {
        class dir { add_name remove_name search write };
        class file { create getattr lock read rename write };
        type mailman_data_t;
        type postfix_cleanup_t;
        type postfix_map_t;
        role system_r;

allow postfix_cleanup_t mailman_data_t:dir search;
allow postfix_map_t mailman_data_t:dir { add_name remove_name search write };
allow postfix_map_t mailman_data_t:file { create getattr lock read rename write };

Comment 5 Daniel Walsh 2007-05-23 17:15:01 UTC
Yes all most bug fixes for FC6 should show up in the u1 release.

Preview is available on

Comment 6 F 2007-10-16 13:58:06 UTC
Not sure if it is the same problem, but I am unable to update /etc/aliases.db 
in RHEL5 logged in as root with neither "newaliases" 
or "postalias /etc/aliases". It gives the error:
postalias: fatal: open /etc/aliases.db: Permission denied

-rw-r-----  1 root  smmsp  12K Oct 16 08:11 aliases.db

Comment 7 Daniel Walsh 2007-10-17 04:21:37 UTC
Did you try the u1 release?

Comment 8 F 2007-10-17 14:02:46 UTC
We have all the latest updates installed from the default distro which is the 
only one our host provides access through their redhat licence.

Comment 9 Daniel Walsh 2007-10-17 17:39:45 UTC
Well I believe this is fixed in the u1 update which should be hitting the
streates at any moment.

If you would like to customize your policy to allow this as root you can execute

grep alias /var/log/audit/audit.log | audit2allow -M myalias
semodule -i myalias.pp

Comment 10 Bug Zapper 2008-04-04 06:44:12 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:

We will be following the process here: to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out

Note You need to log in before you can comment on or make changes to this bug.