SeLinux and mail relaying

Daniel J Walsh dwalsh at redhat.com
Thu Jul 13 14:45:02 UTC 2006 

redhatdude at bellsouth.net wrote:
>>
>> On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:
>>
>>> On Fri, 2006-07-07 at 16:34 -0400, redhatdude at bellsouth.net wrote:
>>>> Hi,
>>>> While trying to set up a mail cgi script, I discovered that Selinux
>>>> is not allowing relaying mail from anything but postfix. I realized
>>>> this when I turned off selinux and I started getting the result of
>>>> cron jobs and other similar system emails.
>>>> So my question is ,  how can I make selinux allow programs other than
>>>> postfix and cyrus to relay emails?
>>>
>>> Can you post the AVC messages you are getting when mail from cron is
>>> being blocked by SELinux?
>>>
>>> Paul.
>>>
>>
> Hi,
> Here it is.
> Thanks for you help.
> EJ
>
Sorry I was away on Vacation.
> type=AVC_PATH msg=audit(1152547081.207:3467):  
> path="/var/lib/imap/socket/lmtp"
> type=SOCKADDR msg=audit(1152547081.207:3467): 
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 
>
> type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b 
> a1=bfc966ec a2=6e
> type=PATH msg=audit(1152547081.207:3467): item=0 name=(null) 
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 
> obj=system_u:object_r:cyrus_var_lib_t:s0
> type=AVC msg=audit(1152547081.303:3468): avc:  denied  { connectto } 
> for  pid=31220 comm="lmtp" name="lmtp" 
> scontext=system_u:system_r:postfix_master_t:s0 
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102 
> success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1 
> pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 
> egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" 
> exe="/usr/libexec/postfix/lmtp" 
> subj=system_u:system_r:postfix_master_t:s0
> type=AVC_PATH msg=audit(1152547081.303:3468):  
> path="/var/lib/imap/socket/lmtp"
I am not sure what lmtp is but is looks like it does not have a domain 
around it so you will probably need to add this rule,
> type=SOCKADDR msg=audit(1152547081.303:3468): 
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 
>
> type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b 
> a1=bffc5a1c a2=6e
> type=PATH msg=audit(1152547081.303:3468): item=0 name=(null) 
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 
> obj=system_u:object_r:cyrus_var_lib_t:s0
>
> This is the message I get when I try to run a mail form cgi script, 
> which is why I realized that I was having problems with my system 
> sending mail.
>
> type=AVC msg=audit(1152547494.882:3475): avc:  denied  { getattr } 
> for  pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322 
> scontext=user_u:system_r:postfix_postdrop_t:s0 
> tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197 
> success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270 
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 
> fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" 
> subj=user_u:system_r:postfix_postdrop_t:s0
> type=AVC_PATH msg=audit(1152547494.882:3475):  path="pipe:[165322]"
not sure why postdrop wants to talk to a fifo file owned by apache?
> type=AVC msg=audit(1152547495.010:3476): avc:  denied  { connectto } 
> for  pid=31274 comm="lmtp" name="lmtp" 
> scontext=system_u:system_r:postfix_master_t:s0 
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102 
> success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1 
> pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 
> egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" 
> exe="/usr/libexec/postfix/lmtp" 
> subj=system_u:system_r:postfix_master_t:s0
> type=AVC_PATH msg=audit(1152547495.010:3476):  
> path="/var/lib/imap/socket/lmtp"
> type=SOCKADDR msg=audit(1152547495.010:3476): 
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 
>
> type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b 
> a1=bffb520c a2=6e
> type=PATH msg=audit(1152547495.010:3476): item=0 name=(null) 
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 
> obj=system_u:object_r:cyrus_var_lib_t:s0
>
> -- 
I would suggest you turn off enforcing mode and generate all the AVC 
messages.  Then
use audit2allow to generate a loadable policy module.

audit2allow -M imtp -i /var/log/messages
semodule -i impt.pp

Then someone can convince me or upstream to add the policy.  :^)

> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list