Bug 170465
| Summary: | postdrop not allowed to open tcp socket | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bojan Smojver <bojan> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 1.27.1-2.6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-10-18 23:01:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Also worth mentioning, this used to work until 2 or 3 policy updates back. Then postfix related problems started coming up. BTW, is there a way to turn SELinux enforcement for Postfix only? Something like postfix_disable_trans? This appears to be fixed in 1.27.1-2.6. It would be nice to have postfix_disable_trans, however... |
Description of problem: In this particular configuration (config file attached), postdrop is not allowed to open a tcp_socket, which then causes it to fail and the mail never gets sent. The e-mail is sent from IMP running on the same box, which users sendmail (i.e. the one from postfix) to send mail with "sendmail -oi". Version-Release number of selected component (if applicable): 1.27.1-2.3 How reproducible: Always. Steps to Reproduce: 1. Use IMP to send mail from the system. I was unable to reproduce this by running any commands. Suggestions welcome. Actual results: Opening of the tcp socket fails, by policy. Expected results: postdrop should be allowed to open tcp sockets (I think :-) Additional info: maillog: --------------------------------- Oct 11 22:55:49 beauty postfix/postdrop[5051]: warning: inet_addr_host: skipping address family 2: Permission denied Oct 11 22:55:49 beauty postfix/postdrop[5051]: fatal: config variable inet_interfaces: host not found: beauty.rexursive.com Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: command "/usr/sbin/postdrop -r" exited with status 1 --------------------------------- audit.log --------------------------------- type=AVC msg=audit(1129071349.676:55828): avc: denied { create } for pid=5051 comm="postdrop" scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:postfix_postdrop_t tclass=tcp_socket type=SYSCALL msg=audit(1129071349.676:55828): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfe111e0 a2=806a428 a3=9262838 items=0 pid=5051 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 comm="postdrop" exe="/usr/sbin/postdrop" type=SOCKETCALL msg=audit(1129071349.676:55828): nargs=3 a0=2 a1=1 a2=0 ---------------------------------