SMTP-AUTH
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 13 21:43:56 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Griffiths wrote:
> I am trying to use dovecot with postfix to provide smtp-auth. The
> instructions provided by postfix http://www.postfix.org/SASL_README.html
> works perfectly in Fedora Core 6.
>
> Using the exact same procedure in Fedora 7 results in some conflicts
> between dovecot_auth_t and postfix_private_t. Since using Dovecot for
> SASL smtp-auth is the preferred way according to Postfix, I suspect
> there must be something I am missing or maybe there is an oversight in
> the policies.
>
> Using sealert -l on the denial for dovecot results in:
>
> Summary
> SELinux is preventing /usr/libexec/dovecot/dovecot-auth
> (dovecot_auth_t)
> "write" to auth (postfix_private_t).
>
> Detailed Description
> SELinux denied access requested by
> /usr/libexec/dovecot/dovecot-auth. It is
> not expected that this access is required by
> /usr/libexec/dovecot/dovecot-
> auth and this access may signal an intrusion attempt. It is also
> possible
> that the specific version or configuration of the application is
> causing it
> to require additional access.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You
> could try to
> restore the default system file context for auth, restorecon -v
> auth If this
>
> does not work, there is currently no automatic way to allow this
> access.
> Instead, you can generate a local policy module to allow this
> access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
> can disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>
> against this package.
>
> Additional Information
>
> Source Context system_u:system_r:dovecot_auth_t
> Target Context root:object_r:postfix_private_t
> Target Objects auth [ sock_file ]
> Affected RPM Packages dovecot-1.0.5-15.fc7 [application]
> Policy RPM selinux-policy-2.6.4-48.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall_file
> Host Name gei.internal.grifent.com
> Platform Linux gei.internal.grifent.com
> 2.6.23.1-10.fc7 #1
> SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
> Alert Count 2
> First Seen Wed Oct 31 03:39:55 2007
> Last Seen Wed Oct 31 11:55:12 2007
> Local ID 8b0a6068-b654-4151-b82e-c149d3b9d57b
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0
> exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0
> gid=0 items=0
> name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0
> subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file
> tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0
>
> Dovecot writes a socket to /var/spool/postfix/private/auth with
> permissions of 660. This is done when dovecot starts and on FC6, the
> files is transitioned to be owned by postfix with a group of postfix.The
> transition of owner/group does not happen of Fedora 7.
>
> The auth socket is necessary to do smtp-auth.
>
> Did I miss something in the configuration on Fedora 7?
>
> Regards,
> John
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Should be fixed in selinux-policy-2.6.4-57.fc7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHOhqcrlYvE4MpobMRAp7rAJoDiFjYZt2usUQic+pTuqyWJq0qrwCfc29Z
pNpS5Lco7hbv4uKffJhUjIQ=
=MhZ2
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list