[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SeLinux and mail relaying



redhatdude bellsouth net wrote:

On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:

On Fri, 2006-07-07 at 16:34 -0400, redhatdude bellsouth net wrote:
Hi,
While trying to set up a mail cgi script, I discovered that Selinux
is not allowing relaying mail from anything but postfix. I realized
this when I turned off selinux and I started getting the result of
cron jobs and other similar system emails.
So my question is ,  how can I make selinux allow programs other than
postfix and cyrus to relay emails?

Can you post the AVC messages you are getting when mail from cron is
being blocked by SELinux?

Paul.


Hi,
Here it is.
Thanks for you help.
EJ

Sorry I was away on Vacation.
type=AVC_PATH msg=audit(1152547081.207:3467): path="/var/lib/imap/socket/lmtp" type=SOCKADDR msg=audit(1152547081.207:3467): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b a1=bfc966ec a2=6e type=PATH msg=audit(1152547081.207:3467): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0 type=AVC msg=audit(1152547081.303:3468): avc: denied { connectto } for pid=31220 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1 pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547081.303:3468): path="/var/lib/imap/socket/lmtp"
I am not sure what lmtp is but is looks like it does not have a domain around it so you will probably need to add this rule,
type=SOCKADDR msg=audit(1152547081.303:3468): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b a1=bffc5a1c a2=6e type=PATH msg=audit(1152547081.303:3468): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0

This is the message I get when I try to run a mail form cgi script, which is why I realized that I was having problems with my system sending mail.

type=AVC msg=audit(1152547494.882:3475): avc: denied { getattr } for pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322 scontext=user_u:system_r:postfix_postdrop_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" subj=user_u:system_r:postfix_postdrop_t:s0
type=AVC_PATH msg=audit(1152547494.882:3475):  path="pipe:[165322]"
not sure why postdrop wants to talk to a fifo file owned by apache?
type=AVC msg=audit(1152547495.010:3476): avc: denied { connectto } for pid=31274 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1 pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547495.010:3476): path="/var/lib/imap/socket/lmtp" type=SOCKADDR msg=audit(1152547495.010:3476): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b a1=bffb520c a2=6e type=PATH msg=audit(1152547495.010:3476): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0

--
I would suggest you turn off enforcing mode and generate all the AVC messages. Then
use audit2allow to generate a loadable policy module.

audit2allow -M imtp -i /var/log/messages
semodule -i impt.pp

Then someone can convince me or upstream to add the policy.  :^)

fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]