posttfix and selinux

Daniel J Walsh dwalsh at redhat.com
Mon Nov 13 17:13:59 UTC 2006 

Wolfgang S. Rupprecht wrote:
> I'm temporarily running selinux in permissive mode and seeing a few
> security gripes in /var/log/messages.  I assume this means that if I
> were to turn selinux back on fully I'd see some aspect of postfix
> operation start to fail.
>
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:9): avc:  denied  { create } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:10): avc:  denied  { bind } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:11): avc:  denied  { getattr } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:12): avc:  denied  { write } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:13): avc:  denied  { nlmsg_read } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>     Nov 12 08:59:32 arbol kernel: audit(1163350772.647:14): avc:  denied  { read } for  pid=3864 comm="smtp" scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=netlink_route_socket
>
> I've run restorecon as such to fix things up, but
> /etc/postfix/prng_exch seems to un-set the correct settings
> periodically.
>
>      restorecon -r -n /etc/postfix
>
> Is this operator error, or do I just need to cool my heals a bit till
> someone fixes the internals of postfix to deal with the selinux
> permissions better?
>
> -wolfgang
>   

This rule is not currently in policy. 

Use audit2allow -M local -i /var/log/messages
to build the policy file for this.

I will add this to next weeks policy update.

Thanks.

More information about the fedora-list mailing list