SMTP-AUTH

John Griffiths fedora01 at grifent.com
Thu Nov 1 14:58:19 UTC 2007 

I am trying to use dovecot with postfix to provide smtp-auth. The 
instructions provided by postfix http://www.postfix.org/SASL_README.html 
works perfectly in Fedora Core 6.

Using the exact same procedure in Fedora 7 results in some conflicts 
between dovecot_auth_t and postfix_private_t. Since using Dovecot for 
SASL smtp-auth is the preferred way according to Postfix, I suspect 
there must be something I am missing or maybe there is an oversight in 
the policies.

Using sealert -l on the denial for dovecot results in:

    Summary
        SELinux is preventing /usr/libexec/dovecot/dovecot-auth
    (dovecot_auth_t)
        "write" to auth (postfix_private_t).

    Detailed Description
        SELinux denied access requested by
    /usr/libexec/dovecot/dovecot-auth. It is
        not expected that this access is required by
    /usr/libexec/dovecot/dovecot-
        auth and this access may signal an intrusion attempt. It is also
    possible
        that the specific version or configuration of the application is
    causing it
        to require additional access.

    Allowing Access
        Sometimes labeling problems can cause SELinux denials.  You
    could try to
        restore the default system file context for auth, restorecon -v
    auth If this

        does not work, there is currently no automatic way to allow this
    access.
        Instead,  you can generate a local policy module to allow this
    access - see
        http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
    can disable
        SELinux protection altogether. Disabling SELinux protection is not
        recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi

        against this package.

    Additional Information

    Source Context                system_u:system_r:dovecot_auth_t
    Target Context                root:object_r:postfix_private_t
    Target Objects                auth [ sock_file ]
    Affected RPM Packages         dovecot-1.0.5-15.fc7 [application]
    Policy RPM                    selinux-policy-2.6.4-48.fc7
    Selinux Enabled               True
    Policy Type                   targeted
    MLS Enabled                   True
    Enforcing Mode                Enforcing
    Plugin Name                   plugins.catchall_file
    Host Name                     gei.internal.grifent.com
    Platform                      Linux gei.internal.grifent.com
    2.6.23.1-10.fc7 #1
                                  SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
    Alert Count                   2
    First Seen                    Wed Oct 31 03:39:55 2007
    Last Seen                     Wed Oct 31 11:55:12 2007
    Local ID                      8b0a6068-b654-4151-b82e-c149d3b9d57b
    Line Numbers

    Raw Audit Messages

    avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0
    exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0
    gid=0 items=0
    name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0
    subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file
    tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0

Dovecot writes a socket to /var/spool/postfix/private/auth with 
permissions of 660. This is done when dovecot starts and on FC6, the 
files is transitioned to be owned by postfix with a group of postfix.The 
transition of owner/group does not happen of Fedora 7.

The auth socket is necessary to do smtp-auth.

Did I miss something in the configuration on Fedora 7?

Regards,
John

More information about the fedora-selinux-list mailing list