From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Fedora/1.7.12-1.5.1 Description of problem: I'm using the FC4 postfix with procmail to deliver to mbox files in users directories and also TLS and the default SELinux targeted policy prevents these things working. If I add the following to /etc/selinux/targeted/src/policy/domains/program/postfix.te and run: cd /etc/selinux/targeted/src/policy; make load Then things work OK... allow postfix_smtp_t file_t:dir search; allow postfix_smtpd_t file_t:dir getattr; allow postfix_master_t file_t:dir getattr; allow postfix_cleanup_t file_t:dir getattr; allow postfix_master_t policy_src_t:dir search; allow postfix_local_t file_t:dir search; allow postfix_local_t file_t:file { getattr read }; allow postfix_local_t file_t:file read; allow postfix_smtpd_t boot_t:dir getattr; allow postfix_smtpd_t file_t:dir search; allow postfix_local_t file_t:dir getattr; allow postfix_local_t file_t:dir write; allow postfix_local_t file_t:dir add_name; allow postfix_local_t file_t:file append; allow postfix_local_t file_t:file { create lock }; allow postfix_local_t file_t:file lock; allow postfix_local_t file_t:dir remove_name; allow postfix_local_t file_t:file link; allow postfix_local_t file_t:dir remove_name; allow postfix_local_t file_t:file { unlink write }; allow postfix_local_t file_t:file unlink; Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Set up postfix to deliver to mboxes 2. Set up postfix to use TLS 3. Enable the default SELinux targeted policy Actual Results: Lots of errors in /var/log/audit.log and /var/log/maillog -- postfix was unable to read the TLS certs and was unable to deliver to mboxes in users home directories. Expected Results: Mail should have been delivered and TLS shoudl have worked... Additional info: I have also discovered that any edits one makes to files such as /etc/selinux/targeted/src/policy/domains/program/postfix.te get clobbered on upgrades... now I have saved these rules in a seperate file...
file_t indicates that you have a very badly labeled file system. Perhaps you booted with selinux=0 or added a new disk, you need to relabel the machine you can do this with touch /.autorelabel reboot
Hmm... I think this issue is caused by the encrypted partitions I have set up, /home/ and /etc/crypt/ (where the Postfix TLS key is) are manually mounted after booting (and postfix is manually started). These partitions have been set up using the Fedora cryptsetup-luks package. I did a relabel as suggested and after that I had to add these lines to postfix.te: allow postfix_master_t user_home_dir_t:dir search; allow postfix_smtpd_t default_t:dir getattr; And these to spamd.te before things started working properly again: allow spamd_t file_t:dir { getattr search }; allow spamd_t file_t:dir write; allow spamd_t file_t:file getattr; allow spamd_t file_t:dir add_name; allow spamd_t file_t:file create; allow spamd_t file_t:dir remove_name; allow spamd_t file_t:file write; allow spamd_t file_t:file { link unlink }; allow spamd_t file_t:file unlink; allow spamd_t file_t:file { ioctl read }; allow spamd_t file_t:file append; I guess this is just a side effect using using some crypted partitions...?