search for: postfix_spool_maildrop_t

...9F /var/log/audit/audit.log | audit2why type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0 ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0 tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for pid=23387 comm="smtp" name="546AA6099F" dev=dm-0...

...ing to restart postfix installed from yum. Restart fails, I get: type=AVC msg=audit(1430429813.721:12167): avc: denied { unlink } for pid=31624 comm="master" name="defer" dev="dm-0" ino=981632 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=sock_file I guess it needs to remove the /var/spool/postfix/defer socket file. audit2allow says this will fix it: allow postfix_master_t postfix_spool_maildrop_t:sock_file unlink; But how do I add this permission to the existing Postfix Selinux policy??? Why was it missing??? By the...

...x_showq_t ============== > allow postfix_showq_t tmp_t:dir read; Any reason postfix would be listing the contents of /tmp or /var/tmp? Did you put some content into these directories that have something to do with mail? > #============= postfix_smtp_t ============== > allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; > >

I am seeing these avc messages on a newly commissioned and up-to-date CentOs-6 virtual guest: ---- time->Thu Dec 4 12:14:58 2014 type=SYSCALL msg=audit(1417713298.610:60522): arch=c000003e syscall=2 success=no exit=-13 a0=7fd70e6de1e6 a1=0 a2=1b6 a3=0 items=0 ppid=2698 pid=4294 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2784 comm="trivial-rewrite"

..._t ============== allow postfix_master_t tmp_t:dir read; #============= postfix_postdrop_t ============== allow postfix_postdrop_t tmp_t:dir read; #============= postfix_showq_t ============== allow postfix_showq_t tmp_t:dir read; #============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax:...

...with mail? That question I need put to the Postfix mailing list. I see nothing in the spec file that bears on the matter and the tarball was pulled from: ftp://ftp.porcupine.org/mirrors/postfix-release/official/ >> #============= postfix_smtp_t ============== >> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; >> >> -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontari...

...x mailing list. I see nothing in the >> spec file that bears on the matter and the tarball was pulled from: >> >> ftp://ftp.porcupine.org/mirrors/postfix-release/official/ >> >>>> #============= postfix_smtp_t ============== >>>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr }; >>>> >>>> I do not know why my build of Postfix is looking in /tmp. According to Wietse Venema the base Postfix tarball does not access /tmp at all. So it must be one of the patches, but I have not yet uncovered which one. In any case, this r...

...; #============= clamscan_t ============== #!!!! The source type 'clamscan_t' can write to a 'dir' of the following types: # clamscan_tmp_t, clamd_var_lib_t, tmp_t, root_t allow clamscan_t amavis_spool_t:dir write; #============= postfix_smtp_t ============== allow postfix_smtp_t postfix_spool_maildrop_t:file open; #============= spamd_t ============== allow spamd_t etc_runtime_t:file append; Is there anything wrong with just creating a local policy module for these and loading it? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte...