[CentOS] SELinux, postfix and milters

Tue May 6 16:20:40 UTC 2008
Michael Saavedra <michael.saavedra at comserco.com>

Hi all,

I'm trying to add some milters (particularly spamass-milter and 
clamav-milter, which I acquired through rpmforge) to my postfix 
configuration on Centos5 with the targeted SELinux policy..

I'm running into difficulty getting postfix to communicate through the 
unix domain sockets created by the milters, because selinux keeps 
blocking them. I've attempted to use audit2allow to fix this, and made 
some progress in allowing postfix to write to the socket. I'm getting 
stuck on the following audit.log error, though.


type=AVC msg=audit(1210016235.033:6265): avc:  denied  { use } for 
pid=17995 comm="cleanup" path="socket:[372498]" dev=sockfs ino=372498 
scontext=root:system_r:postfix_cleanup_t:s0 
tcontext=root:system_r:postfix_smtpd_t:s0 tclass=fd
type=SYSCALL msg=audit(1210016235.033:6265): arch=c000003e syscall=47 
success=yes exit=1 a0=9 a1=7fff0ec2f220 a2=0 a3=0 items=0 ppid=17983 
pid=17995 auid=0 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 
fsgid=89 tty=(none) comm="cleanup" exe="/usr/libexec/postfix/cleanup" 
subj=root:system_r:postfix_cleanup_t:s0 key=(null)


I use audit2allow to try to fix this, but the resulting rule:

allow postfix_cleanup_t postfix_smtpd_t:fd use;

does nothing to help. Has anyone succesfully added unix domain socket 
based milters to postfix without disabling selinux? If anyone has any 
suggestions, I'd be grateful.

Thanks,
Michael Saavedra