[refpolicy] Debian: postfix & sending mail by unconfined_u

Christopher J. PeBenito cpebenito at tresys.com
Fri Aug 29 07:59:40 CDT 2008 

On Fri, 2008-08-29 at 13:19 +0200, Václav Ovsík wrote:
> Hi,
> I have a question please. I'm running Debian Sid with SE Linux
> & selinux-policy-default. I have installed postfix.
> There are messages while user unconfined_u tries to send mail.
> 
> mail -s hello zito at bobek.localdomain <<<hello
> 
> results in
> 
> [  470.026225] type=1401 audit(1219924099.255:7): security_compute_sid:  invalid context unconfined_u:unconfined_r:postfix_postdrop_t:s0 for scontext=unconfined_u:unconfined_r:unconfined_mail_t:s0 tcontext=system_u:object_r:postfix_postdrop_exec_t:s0 tclass=process
> [  470.037101] type=1300 audit(1219924099.255:7): arch=40000003 syscall=11 success=yes exit=0 a0=80c7f40 a1=80c8068 a2=80c78e0 a3=80c7f70 items=0 ppid=1868 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=107 sgid=107 fsgid=107 tty=pts1 ses=4294967295 comm="postdrop" exe="/usr/sbin/postdrop" subj=unconfined_u:unconfined_r:postfix_postdrop_t:s0 key=(null)
> 
> 
> unconfined_r lacks some postfix types.
> 
> I was searching trough sources some time, but I could not find out, why
> e.g. staff_u (staff_r) is able to use mail without problem, but
> unconfined_r needs explicitly allowed types. Probably some attribute.
> I found analogy with mta module (mta_per_role_template).
> 
> zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o  -type f -regex '.*\.(te|if|fc)' -print|xargs egrep  'mta_per_role_template'
> ./policy/modules/services/mta.if:template(`mta_per_role_template',`
> ./policy/modules/system/unconfined.te:  mta_per_role_template(unconfined, unconfined_t, unconfined_r)
> 
> zito at bobek:~/SELinux/refpolicy-svn$ find . -regextype posix-egrep -name .svn -prune -o -name tmp -prune -o -name .pc -prune -o  -type f -regex '.*\.(te|if|fc)' -print|xargs egrep  'postfix_per_role_template'
> ./policy/modules/services/postfix.if:template(`postfix_per_role_template',`
> 
> The unconfined user is OK too after adding corresponding
> postfix_per_role_template(...) for it (the patch attached).
> 
> Is such a solution right?

Yes.  I also added qmail_per_role_template() for the same reason.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the refpolicy mailing list