Bug 171406 - Postfix can't access Saslauthd socket
Summary: Postfix can't access Saslauthd socket
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-21 15:57 UTC by Ben Carner
Modified: 2007-11-30 22:11 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2006-05-05 15:02:10 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ben Carner 2005-10-21 15:57:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
Postfix is not able to authenticate using cyrus-sasl because selinux policy denies access to the mux socket.

Version-Release number of selected component (if applicable):
postfix-2.2.2-2, cyrus-sasl-2.1.20-5, selinux-policy-targeted-1.27.1-2.6

How reproducible:
Always

Steps to Reproduce:
1. Setup SMTP AUTH (I followed instructions here: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ but used the existing RPMs provided with Fedora Core.
2. Attempt to authenticate
3. Check audit.log (I used audit2why) and see that it denies access to mux.
  

Actual Results:  SMTP AUTH fails because it is not able to access the saslauthd daemon.

Expected Results:  It should have been able to authenticate and send my e-mail.

Additional info:

I have worked around it by customizing my SELinux policy, but next time a policy is released, it will break my changes.
Comment 1 Thomas Woerner 2005-11-10 09:59:55 UTC 
This is no prostfix problem, assigning to selinux-prolicy-targeted.
Comment 2 Daniel Walsh 2005-11-30 21:26:57 UTC 
Fixed in selinux-policy-targeted-1.27.1-2.14
Comment 3 Ben Carner 2005-12-08 23:16:23 UTC 
Still no worky. Now it is denying write for the mux socket to the postfix daemon.

This is what shows up in my audit.log:

type=AVC msg=audit(1134082992.536:6821): avc:  denied  { write } for  pid=29186
comm="smtpd" name="mux" dev=dm-0 ino=113
0952 scontext=system_u:system_r:postfix_smtpd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
type=SYSCALL msg=audit(1134082992.536:6821): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bf8f5bd0 a2=5b6228 a3
=bf8f5c34 items=1 pid=29186 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 comm="smtpd"
 exe="/usr/libexec/postfix/smtpd"
type=SOCKADDR msg=audit(1134082992.536:6821):
saddr=01002F7661722F72756E2F7361736C61757468642F6D757800000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000
type=SOCKETCALL msg=audit(1134082992.536:6821): nargs=3 a0=10 a1=bf8f801a a2=6e
type=PATH msg=audit(1134082992.536:6821): item=0 flags=1  inode=1130952
dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00

And this is what audit2allow says should be added:

allow postfix_smtpd_t var_run_t:sock_file write;
Comment 5 Daniel Walsh 2006-05-05 15:02:10 UTC 
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed
Comment 6 Ben Carner 2006-05-09 16:10:26 UTC 
Just tested again and it is working as of selinux-policy-targeted-1.27.1-2.28
Note You need to log in before you can comment on or make changes to this bug.