Bug 428039
Summary: | postgrey policy is not working | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nils Philippsen <nphilipp> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-17 22:02:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nils Philippsen
2008-01-08 21:08:38 UTC
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-75.fc8 Looks like it's not quite fixed with selinux-policy-targeted-3.0.8-76.fc8 from updates-testing: Jan 18 10:52:40 wombat setroubleshoot: #012 SELinux is preventing postgrey (p ostgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients (postfix_etc_t).#0 12 For complete SELinux messages. run sealert -l 2b0ee89e-5d32-4aac-9355-486 c7afdd53c Jan 18 10:52:40 wombat setroubleshoot: #012 SELinux is preventing postgrey (postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_clients.local (postfix_etc_t).#012 For complete SELinux messages. run sealert -l 6cb980d0-12d0-4e8c-b27a-cd911f9a24d5 Jan 18 10:52:40 wombat setroubleshoot: #012 SELinux is preventing postgrey (postgrey_t) "ioctl" to /etc/postfix/postgrey_whitelist_recipients (postfix_etc_t).#012 For complete SELinux messages. run sealert -l 0a57fd40-9b61-43d4-bb82-e1dae06add26 Jan 18 10:52:40 wombat setroubleshoot: #012 SELinux is preventing postgrey (postgrey_t) "write" to <Unknown> (postfix_spool_t).#012 For complete SELinux messages. run sealert -l 6a34e53e-75bb-4cee-83b2-253532818011 raw audit messages: avc: denied { ioctl } for comm=postgrey dev=dm-0 egid=0 euid=0 exe=/usr/bin/perl exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/etc/postfix/postgrey_whitelist_clients pid=31854 scontext=unconfined_u:system_r:postgrey_t:s0 sgid=0 subj=unconfined_u:system_r:postgrey_t:s0 suid=0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 tty=pts5 uid=0 avc: denied { ioctl } for comm=postgrey dev=dm-0 path=/etc/postfix/postgrey_whitelist_clients.local pid=31854 scontext=unconfined_u:system_r:postgrey_t:s0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 avc: denied { ioctl } for comm=postgrey dev=dm-0 path=/etc/postfix/postgrey_whitelist_recipients pid=31854 scontext=unconfined_u:system_r:postgrey_t:s0 tclass=file tcontext=system_u:object_r:postfix_etc_t:s0 avc: denied { write } for comm=postgrey dev=dm-3 name=postgrey pid=31855 scontext=unconfined_u:system_r:postgrey_t:s0 tclass=dir tcontext=system_u:object_r:postfix_spool_t:s0 Is postgrey trying to write to /etc/postfix/postgrey_whitelist_recipients and /var/spool/postfix? Quick workaround to get postgrey up and running in F8. Summary: Do not use unix socket for postgrey, use inet ports instead. Procedure: 1. In the file /etc/init.d/postgrey: comment out the original OPTIONS line continaing --unix=$SOCKET, and add --inet=127.0.0.1:60000: #OPTIONS="--unix=$SOCKET" OPTIONS="--inet=127.0.0.1:60000" 2. Open port 60000 in the firewall. Please be careful if your machine is exposed to the net. 3. In the file /etc/postfix/main.cf: add ''check_policy_service inet:127.0.0.1:60000'' to ''smtpd_recipient_restrictions'' smtpd_recipient_restrictions = permit_mynetworks,check_policy_service inet:127.0.0.1:60000,[<other flags...>] 4. Restart postgrey and postfix. Comments: SELinux prevents the use of sockets for postgrey. It would be preferable to use sockets on a local machine. For am inet solution, it would be preferable to use a TLS connection. /Jarl Jarl, please open a separate bugzilla along with the AVC messages you are seeing. Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |