[CentOS] Postfix avc (SELinux)

Fri Dec 5 18:24:06 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
>
> On 12/04/2014 03:22 PM, James B. Byrne wrote:
>> On Thu, December 4, 2014 12:29, James B. Byrne wrote:
>>> Re: SELinux. Do I just build a local policy or is there some boolean
>>> setting
>>> needed to handle this?  I could not find one if there is but. . .
>>>
>> Anyone see any problem with generating a custom policy consisting of the
>> following?
>>
>> grep avc /var/log/audit/audit.log | audit2allow
>>
>>
>> #============= amavis_t ==============
>> allow amavis_t shell_exec_t:file execute;
>> allow amavis_t sysfs_t:dir search;
>>
>> #============= clamscan_t ==============
>> allow clamscan_t amavis_spool_t:dir read;
> In the latest rhel6 policies amavas_t and clamscan_t have been merged
> into antivirus_t?  Is you selinux-policy up 2 date?

Yes, everything is up-to-date as of the time of report and I have checked
again this morning.  That system has no unapplied fixes for software provided
through the official CentOS-6 repositories.  Does this change apply only to 7
or has it been backported?  Both amavisd-new and clamav are provided via the
epel repository.

>> #============= logwatch_mail_t ==============
>> allow logwatch_mail_t usr_t:lnk_file read;
>>
>> #============= postfix_master_t ==============
>> allow postfix_master_t tmp_t:dir read;
>>
>> #============= postfix_postdrop_t ==============
>> allow postfix_postdrop_t tmp_t:dir read;
>>
>> #============= postfix_showq_t ==============
>> allow postfix_showq_t tmp_t:dir read;

> Any reason postfix would be listing the contents of /tmp or /var/tmp?
> Did you put some content into these directories that have something to
> do with mail?

That question I need put to the Postfix mailing list. I see nothing in the
spec file that bears on the matter and the tarball was pulled from:

 ftp://ftp.porcupine.org/mirrors/postfix-release/official/

>> #============= postfix_smtp_t ==============
>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>>
>>



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3