Bug 170465 – postdrop not allowed to open tcp socket

Bug 170465 - postdrop not allowed to open tcp socket

Summary:	postdrop not allowed to open tcp socket

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	4
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-10-11 19:13 EDT by Bojan Smojver
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:	1.27.1-2.6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-10-18 19:01:30 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Bojan Smojver 2005-10-11 19:13:42 EDT

Description of problem:
In this particular configuration (config file attached), postdrop is not allowed
to open a tcp_socket, which then causes it to fail and the mail never gets sent.
The e-mail is sent from IMP running on the same box, which users sendmail (i.e.
the one from postfix) to send mail with "sendmail -oi".


Version-Release number of selected component (if applicable):
1.27.1-2.3

How reproducible:
Always.

Steps to Reproduce:
1. Use IMP to send mail from the system. I was unable to reproduce this by
running any commands. Suggestions welcome.
  
Actual results:
Opening of the tcp socket fails, by policy.


Expected results:
postdrop should be allowed to open tcp sockets (I think :-)

Additional info:
maillog:
---------------------------------
Oct 11 22:55:49 beauty postfix/postdrop[5051]: warning: inet_addr_host: skipping
address family 2: Permission denied
Oct 11 22:55:49 beauty postfix/postdrop[5051]: fatal: config variable
inet_interfaces: host not found: beauty.rexursive.com
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: premature end-of-input
on /usr/sbin/postdrop -r while reading input attribute name
Oct 12 08:55:50 beauty postfix/sendmail[5050]: warning: command
"/usr/sbin/postdrop -r" exited with status 1
---------------------------------

audit.log
---------------------------------
type=AVC msg=audit(1129071349.676:55828): avc:  denied  { create } for  pid=5051
comm="postdrop" scontext=system_u:system_r:postfix_postdrop_t
tcontext=system_u:system_r:postfix_postdrop_t tclass=tcp_socket
type=SYSCALL msg=audit(1129071349.676:55828): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfe111e0 a2=806a428 a3=9262838 items=0 pid=5051
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90
comm="postdrop" exe="/usr/sbin/postdrop"
type=SOCKETCALL msg=audit(1129071349.676:55828): nargs=3 a0=2 a1=1 a2=0
---------------------------------

Comment 1 Bojan Smojver 2005-10-11 19:35:47 EDT

Also worth mentioning, this used to work until 2 or 3 policy updates back. Then
postfix related problems started coming up.

Comment 2 Bojan Smojver 2005-10-13 16:33:52 EDT

BTW, is there a way to turn SELinux enforcement for Postfix only? Something like
postfix_disable_trans?

Comment 3 Bojan Smojver 2005-10-18 19:01:30 EDT

This appears to be fixed in 1.27.1-2.6. It would be nice to have
postfix_disable_trans, however...

Note You need to log in before you can comment on or make changes to this bug.