postfix ldap selinux (centos5)

Daniel J Walsh dwalsh at redhat.com
Tue Sep 25 19:07:45 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Harry Hoffman wrote:
> My apologies if this is the wrong list and there is a rhel/centos
> specific selinux list...
> 
> Trying to run postfix-2.2.3 on centos5. I'm using LDAP for maps and
> authentication.
> 
> Everytime I run postqueue -p (to show the mail queue) the command times
> out.
> 
> The following messages are logged in /var/log/maillog:
> Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
> LDAP serv
> er ldap://localhost/: Can't contact LDAP server
> Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
> LDAP serv
> er ldap://localhost/: Can't contact LDAP server
> Sep 25 14:50:03 mail1 postfix/showq[9842]: nss_ldap: reconnecting to
> LDAP server
>  (sleeping 4 seconds)...
> Sep 25 14:50:07 mail1 postfix/showq[9842]: nss_ldap: failed to bind to
> LDAP serv
> er ldap://localhost/: Can't contact LDAP server
> 
> 
> The following AVCs show up in /var/log/audit/audit.log:
> 
> type=AVC msg=audit(1190746203.204:2162): avc:  denied  { create } for
> pid=9842
> comm="showq" scontext=root:system_r:postfix_showq_t:s0
> tcontext=root:system_r:po
> stfix_showq_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1190746203.204:2162): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> type=AVC msg=audit(1190746203.204:2163): avc:  denied  { name_connect }
> for  pid
> =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
> tcontext=s
> ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1190746203.204:2163): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d6a0 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> type=AVC msg=audit(1190746203.204:2164): avc:  denied  { create } for
> pid=9842
> comm="showq" scontext=root:system_r:postfix_showq_t:s0
> tcontext=root:system_r:po
> stfix_showq_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1190746203.204:2164): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> type=AVC msg=audit(1190746203.204:2165): avc:  denied  { name_connect }
> for  pid
> =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
> tcontext=s
> ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1190746203.204:2165): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=9755b90 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> type=AVC msg=audit(1190746207.205:2166): avc:  denied  { create } for
> pid=9842
> comm="showq" scontext=root:system_r:postfix_showq_t:s0
> tcontext=root:system_r:po
> stfix_showq_t:s0 tclass=netlink_route_socket
> type=SYSCALL msg=audit(1190746207.205:2166): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=1 a1=bfb679e4 a2=484ff4 a3=bfb67c61 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> type=AVC msg=audit(1190746207.205:2167): avc:  denied  { name_connect }
> for  pid
> =9842 comm="showq" dest=389 scontext=root:system_r:postfix_showq_t:s0
> tcontext=s
> ystem_u:object_r:ldap_port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1190746207.205:2167): arch=40000003 syscall=102
> success=n
> o exit=-13 a0=3 a1=bfb67b10 a2=1251b18 a3=973d660 items=0 ppid=9835
> pid=9842 aui
> d=0 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89
> tty=(none) comm=
> "showq" exe="/usr/libexec/postfix/showq"
> subj=root:system_r:postfix_showq_t:s0 k
> ey=(null)
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Please try the u1 policy, preview available on

http://people.redhat.com/dwalsh/SELinux/RHEL5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG+VyBrlYvE4MpobMRAlfGAJwK0tgxzEHDk7R1WKWbjlzOpv0nLwCcCQ4D
+5SxtFt6x6M6EnmqqbIkHAY=
=F7NU
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list