Bug 479819 - postgrey avc: denied socket connection
postgrey avc: denied socket connection
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2009-01-13 06:50 EST by extremoburo
Modified: 2012-10-15 09:47 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 03:59:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description extremoburo 2009-01-13 06:50:50 EST
Description of problem:

type=AVC msg=audit(1218128130.653:334): avc:  denied  { connectto } for  pid=9111 comm="smtpd" path="/var/spool/postfix/postgrey/socket"
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1218128130.653:334): avc:  denied  { write } for  pid=9111 comm="smtpd" name="socket" dev=sda6 ino=39977017
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file 

I was able to restore functionality by entering permissive mode and using
audit2allow to generate this policy as it's mentioned on this page:

# cat postgreylocal.te
module postgreylocal 1.0;
require {
        type postfix_smtpd_t;
        type postfix_spool_t;
        type initrc_t;
        class sock_file write;
        class unix_stream_socket connectto;
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;

Version-Release number of selected component (if applicable):
postgrey 1.31

How reproducible:

Steps to Reproduce:
1.Install postgrey
2.send message
3.check audit

Additional info: 

LSB Version:	:core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:	CentOS
Description:	CentOS release 5.2 (Final)
Release:	5.2
Codename:	Final
Comment 1 Daniel Walsh 2009-01-13 10:18:11 EST
Since we do not have postgrey policy in RHEL5, this is the best solution.

Not sure if we will add it for 5.4 release.
Comment 2 Daniel Walsh 2009-05-01 14:25:58 EDT
Fixed in selinux-policy-2.4.6-231.el5
Comment 3 David Kovalsky 2009-05-04 08:42:21 EDT

can you provide a more detailed description of what you were doing while encountering the error? Especially, 
 - command executed
 - postgrey configuration file
and any other relevant info that will help us reproduce the issue and make sure it's fixed. 

Comment 8 errata-xmlrpc 2009-09-02 03:59:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.