SeLinux and mail relaying
Daniel J Walsh
dwalsh at redhat.com
Thu Jul 13 14:45:02 UTC 2006
redhatdude at bellsouth.net wrote:
>>
>> On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:
>>
>>> On Fri, 2006-07-07 at 16:34 -0400, redhatdude at bellsouth.net wrote:
>>>> Hi,
>>>> While trying to set up a mail cgi script, I discovered that Selinux
>>>> is not allowing relaying mail from anything but postfix. I realized
>>>> this when I turned off selinux and I started getting the result of
>>>> cron jobs and other similar system emails.
>>>> So my question is , how can I make selinux allow programs other than
>>>> postfix and cyrus to relay emails?
>>>
>>> Can you post the AVC messages you are getting when mail from cron is
>>> being blocked by SELinux?
>>>
>>> Paul.
>>>
>>
> Hi,
> Here it is.
> Thanks for you help.
> EJ
>
Sorry I was away on Vacation.
> type=AVC_PATH msg=audit(1152547081.207:3467):
> path="/var/lib/imap/socket/lmtp"
> type=SOCKADDR msg=audit(1152547081.207:3467):
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b
> a1=bfc966ec a2=6e
> type=PATH msg=audit(1152547081.207:3467): item=0 name=(null)
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:cyrus_var_lib_t:s0
> type=AVC msg=audit(1152547081.303:3468): avc: denied { connectto }
> for pid=31220 comm="lmtp" name="lmtp"
> scontext=system_u:system_r:postfix_master_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1
> pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89
> egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp"
> exe="/usr/libexec/postfix/lmtp"
> subj=system_u:system_r:postfix_master_t:s0
> type=AVC_PATH msg=audit(1152547081.303:3468):
> path="/var/lib/imap/socket/lmtp"
I am not sure what lmtp is but is looks like it does not have a domain
around it so you will probably need to add this rule,
> type=SOCKADDR msg=audit(1152547081.303:3468):
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b
> a1=bffc5a1c a2=6e
> type=PATH msg=audit(1152547081.303:3468): item=0 name=(null)
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:cyrus_var_lib_t:s0
>
> This is the message I get when I try to run a mail form cgi script,
> which is why I realized that I was having problems with my system
> sending mail.
>
> type=AVC msg=audit(1152547494.882:3475): avc: denied { getattr }
> for pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322
> scontext=user_u:system_r:postfix_postdrop_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file
> type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197
> success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90
> fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop"
> subj=user_u:system_r:postfix_postdrop_t:s0
> type=AVC_PATH msg=audit(1152547494.882:3475): path="pipe:[165322]"
not sure why postdrop wants to talk to a fifo file owned by apache?
> type=AVC msg=audit(1152547495.010:3476): avc: denied { connectto }
> for pid=31274 comm="lmtp" name="lmtp"
> scontext=system_u:system_r:postfix_master_t:s0
> tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
> type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102
> success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1
> pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89
> egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp"
> exe="/usr/libexec/postfix/lmtp"
> subj=system_u:system_r:postfix_master_t:s0
> type=AVC_PATH msg=audit(1152547495.010:3476):
> path="/var/lib/imap/socket/lmtp"
> type=SOCKADDR msg=audit(1152547495.010:3476):
> saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>
> type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b
> a1=bffb520c a2=6e
> type=PATH msg=audit(1152547495.010:3476): item=0 name=(null)
> inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:cyrus_var_lib_t:s0
>
> --
I would suggest you turn off enforcing mode and generate all the AVC
messages. Then
use audit2allow to generate a loadable policy module.
audit2allow -M imtp -i /var/log/messages
semodule -i impt.pp
Then someone can convince me or upstream to add the policy. :^)
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list