thr3ads.net - CentOS - [CentOS] SELinux AVC problem postfix <-> dspam [Oct 2012]

If this information is useful, please help other people find it:
Share via:

Patrick Lists

2012-Oct-22 16:06 UTC

[CentOS] SELinux AVC problem postfix <-> dspam

Hi,

I guess this is a bit OT but perhaps someone has encountered this issue 
before. On a CentOS 6.3 x86_64 box I have installed postfix and dspam 
from EPEL. Dspam is configured to listen on port 10026. After having 
configured dspam and postfix I start dspam and then postfix and I see 
the following AVC message in audit.log:

type=AVC msg=audit(1350920492.936:400): avc:  denied  { name_bind } for 
  pid=19971 comm="master" src=10026 
scontext=unconfined_u:system_r:postfix_master_t:s0 
tcontext=system_u:object_r:postfix_master_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1350920492.936:400): arch=c000003e syscall=49 
success=no exit=-13 a0=5b a1=7f015fa63b30 a2=10 a3=7fff6b2bf89c items=0 
ppid=1 pid=19971 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4 comm="master" 
exe="/usr/libexec/postfix/master" 
subj=unconfined_u:system_r:postfix_master_t:s0 key=(null)

When I run sudo grep 1350920492 /var/log/audit/audit.log | audit2allow 
-M postfix-dspam I get:

$ cat postfix-dspam.te

module pf 1.0;

require {
	type postfix_master_t;
	class tcp_socket name_bind;
}

#============= postfix_master_t =============allow postfix_master_t
self:tcp_socket name_bind;


To fix this issue activate the postfix-dspam policy with:
# semodule -i postfix-dspam.pp


Can anyone confirm this is the correct way to fix this problem?
Should I file a bug?

Thanks and regards,
Patrick

Patrick Lists

2012-Oct-22 19:06 UTC

head link

[CentOS] SELinux AVC problem postfix <-> dspam

On 10/22/2012 06:06 PM, Patrick Lists wrote:
[snip]

Solved with:
# semanage port -a -t smtp_port_t -p tcp 10026

Now trying to wrap my head around the next AVC which occurs when postfix 
wants to pass an incoming email via lmtp to dspam via 
/var/run/dspam/dspam.sock:

type=AVC msg=audit(1350931969.438:436): avc:  denied  { write } for 
pid=20266 comm="lmtp" name="dspam.sock" dev=vda2 ino=9935 
scontext=unconfined_u:system_r:postfix_smtp_t:s0 
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1350931969.438:436): arch=c000003e syscall=42 
success=no exit=-13 a0=c a1=7ffff8b66760 a2=6e a3=7ffff8b66410 items=0 
ppid=20258 pid=20266 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 
egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="lmtp" 
exe="/usr/libexec/postfix/lmtp" 
subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

Which could be solved with the following policy:

module pf 1.0;

require {
	type var_run_t;
	type postfix_smtp_t;
	class sock_file write;
}

#============= postfix_smtp_t =============allow postfix_smtp_t
var_run_t:sock_file write;


Suggestions what the proper fix would be are most appreciated.

Regards,
Patrick

Maybe Matching Threads

Search for more seemingly similar threads

CentOS - Oct 2012 - SELinux AVC problem postfix <-> dspam

[CentOS] SELinux AVC problem postfix <-> dspam

[CentOS] SELinux AVC problem postfix <-> dspam

Maybe Matching Threads