[CentOS] SELinux AVC problem postfix <-> dspam

Patrick Lists centos-list at puzzled.xs4all.nl
Mon Oct 22 19:06:41 UTC 2012


On 10/22/2012 06:06 PM, Patrick Lists wrote:
[snip]

Solved with:
# semanage port -a -t smtp_port_t -p tcp 10026

Now trying to wrap my head around the next AVC which occurs when postfix 
wants to pass an incoming email via lmtp to dspam via 
/var/run/dspam/dspam.sock:

type=AVC msg=audit(1350931969.438:436): avc:  denied  { write } for 
pid=20266 comm="lmtp" name="dspam.sock" dev=vda2 ino=9935 
scontext=unconfined_u:system_r:postfix_smtp_t:s0 
tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1350931969.438:436): arch=c000003e syscall=42 
success=no exit=-13 a0=c a1=7ffff8b66760 a2=6e a3=7ffff8b66410 items=0 
ppid=20258 pid=20266 auid=500 uid=89 gid=89 euid=89 suid=89 fsuid=89 
egid=89 sgid=89 fsgid=89 tty=(none) ses=4 comm="lmtp" 
exe="/usr/libexec/postfix/lmtp" 
subj=unconfined_u:system_r:postfix_smtp_t:s0 key=(null)

Which could be solved with the following policy:

module pf 1.0;

require {
	type var_run_t;
	type postfix_smtp_t;
	class sock_file write;
}

#============= postfix_smtp_t ==============
allow postfix_smtp_t var_run_t:sock_file write;


Suggestions what the proper fix would be are most appreciated.

Regards,
Patrick




More information about the CentOS mailing list