Bug 170465 - postdrop not allowed to open tcp socket
postdrop not allowed to open tcp socket
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-10-11 19:13 EDT by Bojan Smojver
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.27.1-2.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-18 19:01:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2005-10-11 19:13:42 EDT
Description of problem:
In this particular configuration (config file attached), postdrop is not allowed
to open a tcp_socket, which then causes it to fail and the mail never gets sent.
The e-mail is sent from IMP running on the same box, which users sendmail (i.e.
the one from postfix) to send mail with "sendmail -oi".

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use IMP to send mail from the system. I was unable to reproduce this by
running any commands. Suggestions welcome.
Actual results:
Opening of the tcp socket fails, by policy.

Expected results:
postdrop should be allowed to open tcp sockets (I think :-)

Additional info:
Oct 11 22:55:49 beauty postfix/postdrop[5051]: warning: inet_addr_host: skipping
address family 2: Permission denied
Oct 11 22:55:49 beauty postfix/postdrop[5051]: fatal: config variable
inet_interfaces: host not found: beauty.rexursive.com
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: premature end-of-input
on /usr/sbin/postdrop -r while reading input attribute name
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: command
"/usr/sbin/postdrop -r" exited with status 1

type=AVC msg=audit(1129071349.676:55828): avc:  denied  { create } for  pid=5051
comm="postdrop" scontext=system_u:system_r:postfix_postdrop_t
tcontext=system_u:system_r:postfix_postdrop_t tclass=tcp_socket
type=SYSCALL msg=audit(1129071349.676:55828): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfe111e0 a2=806a428 a3=9262838 items=0 pid=5051
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90
comm="postdrop" exe="/usr/sbin/postdrop"
type=SOCKETCALL msg=audit(1129071349.676:55828): nargs=3 a0=2 a1=1 a2=0
Comment 1 Bojan Smojver 2005-10-11 19:35:47 EDT
Also worth mentioning, this used to work until 2 or 3 policy updates back. Then
postfix related problems started coming up.
Comment 2 Bojan Smojver 2005-10-13 16:33:52 EDT
BTW, is there a way to turn SELinux enforcement for Postfix only? Something like
Comment 3 Bojan Smojver 2005-10-18 19:01:30 EDT
This appears to be fixed in 1.27.1-2.6. It would be nice to have
postfix_disable_trans, however...

Note You need to log in before you can comment on or make changes to this bug.