Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 592752 - Postfix can't chroot
Summary: Postfix can't chroot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-16 17:28 UTC by David Kovalsky
Modified: 2014-03-31 23:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:49:38 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description David Kovalsky 2010-05-16 17:28:10 UTC
I have configured postfix + amavis + clamav, but it doesn't work, because postfix can't chroot. 

type=AVC msg=audit(1274033642.497:2669): avc:  denied  { sys_chroot } for  pid=10323 comm="smtpd" capability=18 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=root:system_r:postfix_smtpd_t:s0 tclass=capability  

maillog gets filled with
May 16 20:16:04 services-ha-01 postfix/smtpd[10480]: fatal: chroot(/var/spool/postfix): Operation not permitted
May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: process /usr/libexec/postfix/smtpd pid 10480 exit status 1
May 16 20:16:05 services-ha-01 postfix/master[8601]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling


postfix-2.3.3-2

Comment 1 Daniel Walsh 2010-05-17 13:36:38 UTC
This is allowed in RHEL6,  Miroslav can you add this permission.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 2 Miroslav Grepl 2010-07-22 09:23:29 UTC
Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 7 Karel Srot 2010-11-15 15:37:04 UTC
Trying to reproduce this bug. As the first step I have configured various services from default master.cf to be chrooted (using http://www.wains.be/pub/postfix-chroot) and (after restorecon -R /var/spool/postfix/lib) I am getting following AVCs:

----
time->Mon Nov 15 16:30:38 2010
type=SYSCALL msg=audit(1289835038.190:83): arch=40000003 syscall=61 success=no exit=-1 a0=831e3a0 a1=c62a00 a2=d2cff4 a3=59 items=0 ppid=15929 pid=15932 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1289835038.190:83): avc:  denied  { sys_chroot } for  pid=15932 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability
----
time->Mon Nov 15 16:30:38 2010
type=SYSCALL msg=audit(1289835038.174:82): arch=40000003 syscall=61 success=no exit=-1 a0=933d3a0 a1=95ba00 a2=f75ff4 a3=59 items=0 ppid=15929 pid=15931 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1289835038.174:82): avc:  denied  { sys_chroot } for  pid=15931 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability

I think this should be also allowed. 
On the other hand, I can't see AVC from #c0, even with old selinux-policy.

Comment 8 Karel Srot 2010-11-16 10:15:46 UTC
Got even more AVCs after sending an email (additional services have been executed). Maybe there should be a boolean for chrooted postfix. Still working on the avavis stuff.

[root@rhel5 ~]# ausearch -m avc
----
time->Tue Nov 16 10:13:19 2010
type=SYSCALL msg=audit(1289898799.613:33): arch=40000003 syscall=61 success=yes exit=0 a0=9ab43a8 a1=484a00 a2=d2fff4 a3=59 items=0 ppid=3500 pid=3502 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=root:system_r:postfix_pickup_t:s0 key=(null)
type=AVC msg=audit(1289898799.613:33): avc:  denied  { sys_chroot } for  pid=3502 comm="pickup" capability=18 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:system_r:postfix_pickup_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:19 2010
type=SYSCALL msg=audit(1289898799.632:34): arch=40000003 syscall=61 success=yes exit=0 a0=8de23a8 a1=620a00 a2=8bbff4 a3=59 items=0 ppid=3500 pid=3503 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=root:system_r:postfix_qmgr_t:s0 key=(null)
type=AVC msg=audit(1289898799.632:34): avc:  denied  { sys_chroot } for  pid=3503 comm="qmgr" capability=18 scontext=root:system_r:postfix_qmgr_t:s0 tcontext=root:system_r:postfix_qmgr_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.850:36): arch=40000003 syscall=61 success=yes exit=0 a0=84923e0 a1=e57a00 a2=4f1ff4 a3=59 items=0 ppid=3500 pid=3513 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="trivial-rewrite" exe="/usr/libexec/postfix/trivial-rewrite" subj=root:system_r:postfix_master_t:s0 key=(null)
type=AVC msg=audit(1289898820.850:36): avc:  denied  { sys_chroot } for  pid=3513 comm="trivial-rewrite" capability=18 scontext=root:system_r:postfix_master_t:s0 tcontext=root:system_r:postfix_master_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.871:37): arch=40000003 syscall=61 success=yes exit=0 a0=8ce83a8 a1=0 a2=a4dff4 a3=a50c08 items=0 ppid=3500 pid=3514 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="local" exe="/usr/libexec/postfix/local" subj=root:system_r:postfix_local_t:s0 key=(null)
type=AVC msg=audit(1289898820.871:37): avc:  denied  { sys_chroot } for  pid=3514 comm="local" capability=18 scontext=root:system_r:postfix_local_t:s0 tcontext=root:system_r:postfix_local_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.826:35): arch=40000003 syscall=61 success=yes exit=0 a0=8f2d3a8 a1=330a00 a2=fa9ff4 a3=59 items=0 ppid=3500 pid=3512 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=root:system_r:postfix_cleanup_t:s0 key=(null)
type=AVC msg=audit(1289898820.826:35): avc:  denied  { sys_chroot } for  pid=3512 comm="cleanup" capability=18 scontext=root:system_r:postfix_cleanup_t:s0 tcontext=root:system_r:postfix_cleanup_t:s0 tclass=capability
----
time->Tue Nov 16 10:13:40 2010
type=SYSCALL msg=audit(1289898820.911:38): arch=40000003 syscall=61 success=yes exit=0 a0=82263a8 a1=362140 a2=5f1ff4 a3=59 items=0 ppid=3500 pid=3515 auid=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=1 comm="bounce" exe="/usr/libexec/postfix/bounce" subj=root:system_r:postfix_bounce_t:s0 key=(null)
type=AVC msg=audit(1289898820.911:38): avc:  denied  { sys_chroot } for  pid=3515 comm="bounce" capability=18 scontext=root:system_r:postfix_bounce_t:s0 tcontext=root:system_r:postfix_bounce_t:s0 tclass=capability

Comment 9 David Kovalsky 2010-11-16 10:36:10 UTC
I think chrooting should be enabled and boolean is not needed. 

Or is there any harm in allowing a service (postfix services) to chroot? It seems like a good security practice to cut down on the privs as much as possible.

Comment 10 Miroslav Grepl 2010-11-16 12:11:22 UTC
I think we should just allow it in postfix_domain_template()


allow postfix_$1_t self:capability sys_chroot;

Comment 11 Karel Srot 2010-11-16 14:53:02 UTC
Chroot should be probably enabled for all available postfix services. Looking into /usr/libexec/postfix/, following contexts are present:

postfix_bounce_exec_t postfix_cleanup_exec_t postfix_exec_t postfix_local_exec_t postfix_master_exec_t postfix_pickup_exec_t postfix_pipe_exec_t postfix_qmgr_exec_t postfix_showq_exec_t postfix_smtpd_exec_t postfix_smtp_exec_t postfix_virtual_exec_t

I am not sure about postfix_exec_t but all the rest should be postfix services from master.cf.

Comment 12 Miroslav Grepl 2010-11-16 15:09:40 UTC
Karel,
could you test it with the latest policy (-273), which I have built before a while.

Comment 13 Karel Srot 2010-11-16 16:16:56 UTC
Looks fine. No AVCs at all.

Comment 15 Jaromir Hradilek 2011-01-05 16:15:03 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, SELinux prevented the Postfix mail transfer agent from creating a chroot environment. This issue has been resolved, and relevant rules have been added to permit this operation.

Comment 17 errata-xmlrpc 2011-01-13 21:49:38 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.