Bug#473043: selinux-policy-default: Also affects mailq; unconfined_r cannot send mail

[Chaskiel Grundman]

Package: selinux-policy-default
Version: 2:0.0.20080702-6
Followup-For: Bug #473043
Running mailq does not work for any user role (user_r, staff_r,
sysadm_r, unconfined_r)

debian:/# id
uid=0(root) gid=0(root) groups=0(root) context=root:sysadm_r:sysadm_t:s0
debian:/# mailq
mailq: fatal: execv /usr/sbin/postqueue: Permission denied

A similar invalid context message is logged for all the roles.

security_compute_sid: invalid context root:sysadm_r:postfix_postqueue_t:s0 
for
scontext=root:sysadm_r:sysadm_mail_t:s0
tcontext=system_u:object_r:postfix_postqueue_exec_t:s0 tclass=process

Less important to me, but still bad: unconfined_r cannot send mail with
/usr/bin/mail.

[EMAIL PROTECTED]:~$ id
uid=1002(xunc) gid=1002(xunc) groups=1002(xunc)
context=unconfined_u:unconfined_r:unconfined_t:s0
[EMAIL PROTECTED]:~$ echo Test  | mail -s "Test message" root
send-mail: fatal: execvp /usr/sbin/postdrop: Permission denied
send-mail: warning: command "/usr/sbin/postdrop -r" exited with status 1
send-mail: fatal: xunc(1002): unable to execute /usr/sbin/postdrop -r:
Success
Can't send mail: sendmail process failed with error code 75

security_compute_sid:  invalid context
unconfined_u:unconfined_r:postfix_postdrop_t:s0 for
scontext=unconfined_u:unconfined_r:unconfined_mail_t:s0
tcontext=system_u:object_r:postfix_postdrop_exec_t:s0 tclass=process

Other roles do not have this particular problem.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules                1.0.1-3    Pluggable Authentication Modules f
ii  libselinux1                   2.0.65-2   SELinux shared libraries
ii  libsepol1                     2.0.30-2   Security Enhanced Linux policy lib
ii  policycoreutils               2.0.49-5   SELinux core policy utilities
ii  python                        2.5.2-2    An interactive high-level object-o

Versions of packages selinux-policy-default recommends:
ii  checkpolicy                   2.0.16-1   SELinux policy compiler
ii  setools                       2.4-3      Tresys tools for managing Security

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- no debconf information



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]