[rhelv6-list] Selinux and postfix vs script in .forward

Thu, 30 Aug 2012 08:43:30 -0700 

I've got a user who wants to run a script specified in their .forward file:

.forward (USER.USER 0664)
=============
|/home/USER/Code/forwardbuildresults.sh
=============

The script seems to be correct as well:
-rwxrwxr-x. USER USER system_u:object_r:nfs_t:s0 /home/USER/Code/forwardbuildresults.sh 


but when he tries to catch the mail, this shows up in maillog:
Aug 30 11:29:49 pine postfix/local[29020]: 54A6976B: to=<USER@pine>, relay=local, delay=537, delays=537/0.02/0/0.02, dsn=4.3.0, status=deferred (temporary failure. Command output: local: fatal: execvp /home/USER/Code/forwardbuildresults.sh: Permission denied ) 

and this shows up in /var/log/messages:
Aug 30 11:29:53 pine setroubleshoot: SELinux is preventing /usr/libexec/postfix/local from execute access on the file forwardbuildresults.sh. For complete SELinux messages. run sealert -l a97ab991-717f-43bb-a990-1017bca686e9 

sealert is pretty worthless in this case:
===============================
SELinux is preventing /usr/libexec/postfix/local from execute access on the file forwardbuildresults.sh.
***** Plugin leaks (86.2 confidence) suggests ******************************
If you want to ignore local trying to execute access the forwardbuildresults.sh file, because you believe it should not need this access. 
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/libexec/postfix/local /var/log/audit/audit.log | audit2allow -D -M mypol 
# semodule -i mypol.pp
***** Plugin catchall (14.7 confidence) suggests ***************************
If you believe that local should be allowed execute access on the forwardbuildresults.sh file by default. 
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep local /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
==================================
since the file resides on nfs there isn't any way to reset the context type...is there a magic setting for postfix that will let this go through? 

Brian


_______________________________________________
rhelv6-list mailing list
rhelv6-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv6-list

Reply via email to