170465 – postdrop not allowed to open tcp socket

Bug 170465 - postdrop not allowed to open tcp socket

Summary: postdrop not allowed to open tcp socket

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-11 23:13 UTC by Bojan Smojver
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	1.27.1-2.6
Clone Of:
Environment:
Last Closed:	2005-10-18 23:01:30 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bojan Smojver 2005-10-11 23:13:42 UTC

Description of problem:
In this particular configuration (config file attached), postdrop is not allowed
to open a tcp_socket, which then causes it to fail and the mail never gets sent.
The e-mail is sent from IMP running on the same box, which users sendmail (i.e.
the one from postfix) to send mail with "sendmail -oi".


Version-Release number of selected component (if applicable):
1.27.1-2.3

How reproducible:
Always.

Steps to Reproduce:
1. Use IMP to send mail from the system. I was unable to reproduce this by
running any commands. Suggestions welcome.
  
Actual results:
Opening of the tcp socket fails, by policy.


Expected results:
postdrop should be allowed to open tcp sockets (I think :-)

Additional info:
maillog:
---------------------------------
Oct 11 22:55:49 beauty postfix/postdrop[5051]: warning: inet_addr_host: skipping
address family 2: Permission denied
Oct 11 22:55:49 beauty postfix/postdrop[5051]: fatal: config variable
inet_interfaces: host not found: beauty.rexursive.com
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: premature end-of-input
on /usr/sbin/postdrop -r while reading input attribute name
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: command
"/usr/sbin/postdrop -r" exited with status 1
---------------------------------

audit.log
---------------------------------
type=AVC msg=audit(1129071349.676:55828): avc:  denied  { create } for  pid=5051
comm="postdrop" scontext=system_u:system_r:postfix_postdrop_t
tcontext=system_u:system_r:postfix_postdrop_t tclass=tcp_socket
type=SYSCALL msg=audit(1129071349.676:55828): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfe111e0 a2=806a428 a3=9262838 items=0 pid=5051
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90
comm="postdrop" exe="/usr/sbin/postdrop"
type=SOCKETCALL msg=audit(1129071349.676:55828): nargs=3 a0=2 a1=1 a2=0
---------------------------------

Comment 1 Bojan Smojver 2005-10-11 23:35:47 UTC

Also worth mentioning, this used to work until 2 or 3 policy updates back. Then
postfix related problems started coming up.

Comment 2 Bojan Smojver 2005-10-13 20:33:52 UTC

BTW, is there a way to turn SELinux enforcement for Postfix only? Something like
postfix_disable_trans?

Comment 3 Bojan Smojver 2005-10-18 23:01:30 UTC

This appears to be fixed in 1.27.1-2.6. It would be nice to have
postfix_disable_trans, however...

Note You need to log in before you can comment on or make changes to this bug.