[CentOS] Odd SELinux messages during+after 5.3 upgrade (system_mail_t and postfix_postdrop_t access rpm_var_lib_t)

Dan Mensom mensomman at yahoo.com
Tue Apr 14 04:12:02 UTC 2009

Hey guys,

I've been getting some strange selinux messages after the 5.3 upgrade. 
It appears as though my mail system (postfix) is constantly trying to
access the rpm database? Here's the audit messages (I tend to look at 
my selinux messages using audit2allow < /var/log/audit.log as I find 
it easier to read quickly):

allow postfix_postdrop_t rpm_t:tcp_socket { read write };
allow postfix_postdrop_t rpm_var_lib_t:file { read write };
allow postfix_postdrop_t user_home_t:file { getattr append };
allow postfix_postdrop_t var_lib_t:file write;

allow system_mail_t rpm_t:tcp_socket { read write };
allow system_mail_t rpm_var_lib_t:file { read write };
allow system_mail_t var_lib_t:file write;

I've been getting the latter set continously since the upgrade. The 
first set appeared briefly when I did a 'setenforce 0' to diagnose
a spamc_t issue with calling the /usr/sbin/sendmail symlink..

They correspond to audit.log messages similar to the following:

type=AVC msg=audit(1239664501.977:9052044): avc:  denied  { write } for  pid=18901 comm="sendmail" name="transaction-done.2009-04-12.22:52.45" dev=loop0 ino=901575 scontext=user_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1239664501.977:9052044): avc:  denied  { read write } for  pid=18901 comm="sendmail" name="__db.000" dev=loop0 ino=901554 scontext=user_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1239664501.977:9052044): arch=40000003 syscall=11 success=yes exit=0 a0=5e2237b8 a1=5e223584 a2=5e2439bc a3=8 items=0 ppid=18880 pid=18901 auid=517 uid=517 gid=517 euid=517 suid=517 fsuid=517 egid=517 sgid=517 fsgid=517 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.postfix" subj=user_u:system_r:system_mail_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1239664501.977:9052044):  path="/var/lib/rpm/__db.000"
type=AVC_PATH msg=audit(1239664501.977:9052044): path=2F7661722F6C69622F79756D2F7472616E73616374696F6E2D646F6E652E323030392D30342D31322E32323A35322E34352028646

During the upgrade it looks like it was pretty common for most packages'
contexts to attempt to access a tcp socket to rpm and do similar things 
(again, in audit2allow format):

allow tzdata_t rpm_t:tcp_socket { read write };
allow tzdata_t rpm_var_lib_t:file { read write };
allow tzdata_t var_lib_t:file write;
allow tzdata_t var_t:file read;

But I was surprised that these mail messages didn't show up till the 
following day, and are still showing up continuously now.

Does anyone know what these accesses are? And why they might be still 
continously triggering for the mail system, where as all the other 
packages have stopped causing them?

Also, on a related note, is it normally best practices to 'setenforce 0'
during a 5.x upgrade? Is it possible I've damaged something by leaving 
selinux enabled? Other than the spamassassin issue, the machine seems
to be running ok..


More information about the CentOS mailing list