Bug 171406 - Postfix can't access Saslauthd socket
Postfix can't access Saslauthd socket
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-21 11:57 EDT by Ben Carner
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:02:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ben Carner 2005-10-21 11:57:42 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
Postfix is not able to authenticate using cyrus-sasl because selinux policy denies access to the mux socket.

Version-Release number of selected component (if applicable):
postfix-2.2.2-2, cyrus-sasl-2.1.20-5, selinux-policy-targeted-1.27.1-2.6

How reproducible:
Always

Steps to Reproduce:
1. Setup SMTP AUTH (I followed instructions here: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ but used the existing RPMs provided with Fedora Core.
2. Attempt to authenticate
3. Check audit.log (I used audit2why) and see that it denies access to mux.
  

Actual Results:  SMTP AUTH fails because it is not able to access the saslauthd daemon.

Expected Results:  It should have been able to authenticate and send my e-mail.

Additional info:

I have worked around it by customizing my SELinux policy, but next time a policy is released, it will break my changes.
Comment 1 Thomas Woerner 2005-11-10 04:59:55 EST
This is no prostfix problem, assigning to selinux-prolicy-targeted.
Comment 2 Daniel Walsh 2005-11-30 16:26:57 EST
Fixed in selinux-policy-targeted-1.27.1-2.14
Comment 3 Ben Carner 2005-12-08 18:16:23 EST
Still no worky. Now it is denying write for the mux socket to the postfix daemon.

This is what shows up in my audit.log:

type=AVC msg=audit(1134082992.536:6821): avc:  denied  { write } for  pid=29186
comm="smtpd" name="mux" dev=dm-0 ino=113
0952 scontext=system_u:system_r:postfix_smtpd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
type=SYSCALL msg=audit(1134082992.536:6821): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf8f5bd0 a2=5b6228 a3
=bf8f5c34 items=1 pid=29186 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 comm="smtpd"
 exe="/usr/libexec/postfix/smtpd"
type=SOCKADDR msg=audit(1134082992.536:6821):
saddr=01002F7661722F72756E2F7361736C61757468642F6D757800000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
type=SOCKETCALL msg=audit(1134082992.536:6821): nargs=3 a0=10 a1=bf8f801a a2=6e
type=PATH msg=audit(1134082992.536:6821): item=0 flags=1  inode=1130952
dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00

And this is what audit2allow says should be added:

allow postfix_smtpd_t var_run_t:sock_file write;
Comment 5 Daniel Walsh 2006-05-05 11:02:10 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed
Comment 6 Ben Carner 2006-05-09 12:10:26 EDT
Just tested again and it is working as of selinux-policy-targeted-1.27.1-2.28

Note You need to log in before you can comment on or make changes to this bug.