Bug 1883831

Summary: SELinux policy denies postfix's bind to 389ds/ldap unix domain sockets
Product: Red Hat Enterprise Linux 8 Reporter: Graham Leggett <minfrin>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED WONTFIX QA Contact: František Hrdina <fhrdina>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: fhrdina
Target Milestone: rcKeywords: Reopened, SELinux
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-30 07:27:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2020-09-30 11:06:10 UTC 
Description of problem:

SELinux policy prevents postfix to contact 389ds ever a unix domain socket.

Version-Release number of selected component (if applicable):

postfix-3.3.1-12

How reproducible:

Always

Steps to Reproduce:
1. Tell postfix to bind to an LDAP server over a unix domain socket as follows:

server_host = ldapi://%2fvar%2frun%2fslapd-gatekeeper.socket

2. Start postfix
3.

Actual results:

Postfix fails to connect to LDAP server, with permission denied from selinux:

type=AVC msg=audit(1601463793.905:17140): avc:  denied  { write } for  pid=14790 comm="cleanup" name="slapd-gatekeeper.socket" dev="tmpfs" ino=31217 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:object_r:dirsrv_var_run_t:s0 tclass=sock_file permissive=0

Expected results:

SELinux works properly, postfix succeeds in contacting LDAP server.

Additional info:
Comment 2 RHEL Program Management 2022-03-30 07:27:28 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 3 Graham Leggett 2022-03-30 08:30:47 UTC 
Looks like your bot auto-closed a lot of tickets.

This is trivial to fix, please sort it out.
Comment 6 RHEL Program Management 2022-09-30 07:27:54 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.