.forward file ignored, SELinux logs strange AVC.

bradchaus · #1 23rd August 2008, 05:24 AM

Hi, I am running F9, Postfix, SELinux.

I have a .forward file in /root with contents "brian@localhost"

Mail to root, should be diverted to brian. But it only works if I put SELinux in permissive mode. SELinux logs a strange AVC as follows:

Code:

Raw Audit Messages :host=admin.brianac.com.au type=AVC 
msg=audit(1219464502.997:1874): avc: denied { search } for pid=16435 comm="local"
 name="root" dev=dm-7 ino=63489 scontext=system_u:system_r:postfix_local_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir host=admin.brianac.com.au 
type=SYSCALL msg=audit(1219464502.997:1874): arch=40000003 syscall=196 
success=no exit=-13 a0=b83d6940 a1=bf826cb4 a2=7dfff4 a3=0 items=0 ppid=3274 
pid=16435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" 
subj=system_u:system_r:postfix_local_t:s0 key=(null)

The english language description from troubleshooter is :

Code:

SELinux has denied local access to potentially mislabeled file(s) (./root). This 
means that SELinux will not allow local to use these files. It is common for users to edit
files in their home directory or tmp directories and then move (mv) them to system 
directories. The problem is that the files end up with the wrong file context which confined 
applications are not allowed to access.

Note that it doesn't mention .forward. But it does mention ./root. What the hell is that?

Troubleshooter recommends running restorecon -R -v './root' . But that doesn't make sense. That's a relative path, not a full path.

Any ideas anyone?

Brian

marcrblevins · #2 23rd August 2008, 05:38 AM

Code:

su -
ls -Z .forward

My result:

Code:

-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 .forward

Is yours the same?

marcrblevins · #3 23rd August 2008, 05:40 AM

Also check this:

Code:

[root@kiriyamablevins ~]# getsebool -a | grep post
allow_postfix_local_write_mail_spool --> on
[root@kiriyamablevins ~]#

bradchaus · #4 23rd August 2008, 05:41 AM

yep, identical

bradchaus · #5 23rd August 2008, 05:42 AM

Quote:

Originally Posted by marcrblevins

Also check this:

Code:

[root@kiriyamablevins ~]# getsebool -a | grep post
allow_postfix_local_write_mail_spool --> on
[root@kiriyamablevins ~]#

yeah mine is the same

bradchaus · #6 23rd August 2008, 05:42 AM

Quote:

Originally Posted by marcrblevins

Code:

su -
ls -Z .forward

My result:

Code:

-rw-r--r--  root root unconfined_u:object_r:admin_home_t:s0 .forward

Is yours the same?

yes, identical

marcrblevins · #7 23rd August 2008, 05:43 AM

If you don't mind, please quote which is identical?

marcrblevins · #8 23rd August 2008, 05:51 AM

Sorry Brad, I'm out of ideas. Mine is sendmail/dovecot and Selinux set to Enforcing(the default)

bradchaus · #9 24th August 2008, 03:32 AM

thankx for your ideas ... it has me stumped too ... but I think the key to the problem is understanding the AVC .. i wonder what it means by "./root"