posttfix and selinux
Daniel J Walsh
dwalsh at redhat.com
Mon Nov 13 17:13:59 UTC 2006
Wolfgang S. Rupprecht wrote:
> I'm temporarily running selinux in permissive mode and seeing a few
> security gripes in /var/log/messages. I assume this means that if I
> were to turn selinux back on fully I'd see some aspect of postfix
> operation start to fail.
>
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:9): avc: denied { create } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:10): avc: denied { bind } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:11): avc: denied { getattr } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:12): avc: denied { write } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:13): avc: denied { nlmsg_read } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
> Nov 12 08:59:32 arbol kernel: audit(1163350772.647:14): avc: denied { read } for pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>
> I've run restorecon as such to fix things up, but
> /etc/postfix/prng_exch seems to un-set the correct settings
> periodically.
>
> restorecon -r -n /etc/postfix
>
> Is this operator error, or do I just need to cool my heals a bit till
> someone fixes the internals of postfix to deal with the selinux
> permissions better?
>
> -wolfgang
>
This rule is not currently in policy.
Use audit2allow -M local -i /var/log/messages
to build the policy file for this.
I will add this to next weeks policy update.
Thanks.
More information about the fedora-list
mailing list