place for Postfix keytab files to make selinux happy

Mon Jan 19 21:29:43 UTC 2015

On Tuesday, December 23, 2014 12:44:19 PM Stephen Ingram wrote:
> I'm using Fedora 20 and CentOS 7 and have tried several places to place
> keytab files for Postfix. Each time I'm getting a denied message:
> 
> type=AVC msg=audit(1419366895.530:491753): avc:  denied  { search } for
>  pid=28412 comm="lmtp" name="postfix" dev="xvda1" ino=1223493
> scontext=system_u:system_r:postfix_smtp_t:s0
> tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir type=SYSCALL
> msg=audit(1419366895.530:491753): arch=c000003e syscall=4 success=no
> exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670 a3=7fffa6f23540
> items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89 euid=89 suid=89
> fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="lmtp"
> exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_smtp_t:s0
> key=(null)
> 
> I see on the postfix_selinux man page that there is a postfix_keytab_t type,
> however, even if I use this, postfix is not able to read the credential
> file. Has anyone gotten this to work?
> 
> Steve

Steve, I've used the following on my Postfix server (now using Fedora 21) for 
a number of years without issue.

$ ls -lZ /etc/postfix/*keytab
-rw-r-----. root postfix system_u:object_r:postfix_etc_t:s0 
/etc/postfix/smtp.keytab

And in /etc/postfix/main.cf
...
# Import environment for Kerberos v5 GSSAPI
import_environment =
        MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
        KRB5_KTNAME=/etc/postfix/smtp.keytab

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20150119/48b5085c/attachment.sig>