Bug 171406

Summary: Postfix can't access Saslauthd socket
Product: [Fedora] Fedora Reporter: Ben Carner <kwalker>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-05 15:02:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ben Carner 2005-10-21 15:57:42 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
Postfix is not able to authenticate using cyrus-sasl because selinux policy denies access to the mux socket.

Version-Release number of selected component (if applicable):
postfix-2.2.2-2, cyrus-sasl-2.1.20-5, selinux-policy-targeted-1.27.1-2.6

How reproducible:
Always

Steps to Reproduce:
1. Setup SMTP AUTH (I followed instructions here: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ but used the existing RPMs provided with Fedora Core.
2. Attempt to authenticate
3. Check audit.log (I used audit2why) and see that it denies access to mux.
  

Actual Results:  SMTP AUTH fails because it is not able to access the saslauthd daemon.

Expected Results:  It should have been able to authenticate and send my e-mail.

Additional info:

I have worked around it by customizing my SELinux policy, but next time a policy is released, it will break my changes.

Comment 1 Thomas Woerner 2005-11-10 09:59:55 UTC
This is no prostfix problem, assigning to selinux-prolicy-targeted.

Comment 2 Daniel Walsh 2005-11-30 21:26:57 UTC
Fixed in selinux-policy-targeted-1.27.1-2.14

Comment 3 Ben Carner 2005-12-08 23:16:23 UTC
Still no worky. Now it is denying write for the mux socket to the postfix daemon.

This is what shows up in my audit.log:

type=AVC msg=audit(1134082992.536:6821): avc:  denied  { write } for  pid=29186
comm="smtpd" name="mux" dev=dm-0 ino=113
0952 scontext=system_u:system_r:postfix_smtpd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
type=SYSCALL msg=audit(1134082992.536:6821): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf8f5bd0 a2=5b6228 a3
=bf8f5c34 items=1 pid=29186 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 comm="smtpd"
 exe="/usr/libexec/postfix/smtpd"
type=SOCKADDR msg=audit(1134082992.536:6821):
saddr=01002F7661722F72756E2F7361736C61757468642F6D757800000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
type=SOCKETCALL msg=audit(1134082992.536:6821): nargs=3 a0=10 a1=bf8f801a a2=6e
type=PATH msg=audit(1134082992.536:6821): item=0 flags=1  inode=1130952
dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00

And this is what audit2allow says should be added:

allow postfix_smtpd_t var_run_t:sock_file write;

Comment 5 Daniel Walsh 2006-05-05 15:02:10 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Comment 6 Ben Carner 2006-05-09 16:10:26 UTC
Just tested again and it is working as of selinux-policy-targeted-1.27.1-2.28