171406 – Postfix can't access Saslauthd socket

Bug 171406 - Postfix can't access Saslauthd socket

Summary: Postfix can't access Saslauthd socket

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-21 15:57 UTC by Ben Carner
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-05-05 15:02:10 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ben Carner 2005-10-21 15:57:42 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
Postfix is not able to authenticate using cyrus-sasl because selinux policy denies access to the mux socket.

Version-Release number of selected component (if applicable):
postfix-2.2.2-2, cyrus-sasl-2.1.20-5, selinux-policy-targeted-1.27.1-2.6

How reproducible:
Always

Steps to Reproduce:
1. Setup SMTP AUTH (I followed instructions here: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ but used the existing RPMs provided with Fedora Core.
2. Attempt to authenticate
3. Check audit.log (I used audit2why) and see that it denies access to mux.
  

Actual Results:  SMTP AUTH fails because it is not able to access the saslauthd daemon.

Expected Results:  It should have been able to authenticate and send my e-mail.

Additional info:

I have worked around it by customizing my SELinux policy, but next time a policy is released, it will break my changes.

Comment 1 Thomas Woerner 2005-11-10 09:59:55 UTC

This is no prostfix problem, assigning to selinux-prolicy-targeted.

Comment 2 Daniel Walsh 2005-11-30 21:26:57 UTC

Fixed in selinux-policy-targeted-1.27.1-2.14

Comment 3 Ben Carner 2005-12-08 23:16:23 UTC

Still no worky. Now it is denying write for the mux socket to the postfix daemon.

This is what shows up in my audit.log:

type=AVC msg=audit(1134082992.536:6821): avc:  denied  { write } for  pid=29186
comm="smtpd" name="mux" dev=dm-0 ino=113
0952 scontext=system_u:system_r:postfix_smtpd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
type=SYSCALL msg=audit(1134082992.536:6821): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf8f5bd0 a2=5b6228 a3
=bf8f5c34 items=1 pid=29186 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 comm="smtpd"
 exe="/usr/libexec/postfix/smtpd"
type=SOCKADDR msg=audit(1134082992.536:6821):
saddr=01002F7661722F72756E2F7361736C61757468642F6D757800000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
type=SOCKETCALL msg=audit(1134082992.536:6821): nargs=3 a0=10 a1=bf8f801a a2=6e
type=PATH msg=audit(1134082992.536:6821): item=0 flags=1  inode=1130952
dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00

And this is what audit2allow says should be added:

allow postfix_smtpd_t var_run_t:sock_file write;

Comment 5 Daniel Walsh 2006-05-05 15:02:10 UTC

Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Comment 6 Ben Carner 2006-05-09 16:10:26 UTC

Just tested again and it is working as of selinux-policy-targeted-1.27.1-2.28

Note You need to log in before you can comment on or make changes to this bug.