Description of problem: type=AVC msg=audit(1218128130.653:334): avc: denied { connectto } for pid=9111 comm="smtpd" path="/var/spool/postfix/postgrey/socket" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1218128130.653:334): avc: denied { write } for pid=9111 comm="smtpd" name="socket" dev=sda6 ino=39977017 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file I was able to restore functionality by entering permissive mode and using audit2allow to generate this policy as it's mentioned on this page: http://wiki.centos.org/HowTos/SELinux # cat postgreylocal.te module postgreylocal 1.0; require { type postfix_smtpd_t; type postfix_spool_t; type initrc_t; class sock_file write; class unix_stream_socket connectto; } #============= postfix_smtpd_t ============== allow postfix_smtpd_t initrc_t:unix_stream_socket connectto; allow postfix_smtpd_t postfix_spool_t:sock_file write; Version-Release number of selected component (if applicable): postgrey 1.31 postfix-2.3.3-2.1.el5_2 selinux-policy-2.4.6-137.1.el5 How reproducible: Always Steps to Reproduce: 1.Install postgrey 2.send message 3.check audit Additional info: OS: LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: CentOS Description: CentOS release 5.2 (Final) Release: 5.2 Codename: Final
Since we do not have postgrey policy in RHEL5, this is the best solution. Not sure if we will add it for 5.4 release.
Fixed in selinux-policy-2.4.6-231.el5
Hi, can you provide a more detailed description of what you were doing while encountering the error? Especially, - command executed - postgrey configuration file and any other relevant info that will help us reproduce the issue and make sure it's fixed. Thanks!
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1242.html