2:44 p.m.
I'm using Fedora 20 and CentOS 7 and have tried several places to place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4
success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670
a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89
euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t
type, however, even if I use this, postfix is not able to read the
credential file. Has anyone gotten this to work?
Steve
4:25 a.m.
On 12/23/2014 09:44 PM, Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to
place keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search }
for pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4
success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670
a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89
gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none)
ses=4294967295 comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t
type, however, even if I use this, postfix is not able to read the
credential file. Has anyone gotten this to work?
Steve
What AVC do you get with the default setup?
We will need to add additional rules.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
3:23 p.m.
On Mon, Dec 29, 2014 at 2:25 AM, Miroslav Grepl <mgrepl(a)redhat.com> wrote:
On 12/23/2014 09:44 PM, Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4
success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670
a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89
euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t
type, however, even if I use this, postfix is not able to read the
credential file. Has anyone gotten this to work?
Steve
What AVC do you get with the default setup?
We will need to add additional rules.
Sorry for the delay, I somehow misplaced your reply.
I'm not sure what you mean by default setup. There really is no default
setup that I know for Postfix using a Kerberos ticket. Considering the
dearth of postings of Kerberos installs on the Postfix list, I don't think
there are many people using it.
As I had to get something going, I just placed it in /run/user/postfix for
now. It's the only place I could find that I could get the
postfix_smtp_exec_t context I needed. I had previously stored this value in
/tmp, however, that was not a selinux system and probably not the most
secure place for them anyhow. I would think the best place for it would be
somewhere in /var/spool/postfix hierarchy as that is the home directory for
postfix.
Steve
3:29 p.m.
On Tuesday, December 23, 2014 12:44:19 PM Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to
place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1419366895.530:491753): arch=c000003e syscall=4 success=no
exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670 a3=7fffa6f23540
items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="lmtp"
exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_smtp_t:s0
key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t type,
however, even if I use this, postfix is not able to read the credential
file. Has anyone gotten this to work?
Steve
Steve, I've used the following on my Postfix server (now using Fedora 21) for
a number of years without issue.
$ ls -lZ /etc/postfix/*keytab
-rw-r-----. root postfix system_u:object_r:postfix_etc_t:s0
/etc/postfix/smtp.keytab
And in /etc/postfix/main.cf
...
# Import environment for Kerberos v5 GSSAPI
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
KRB5_KTNAME=/etc/postfix/smtp.keytab
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
3382
days inactive
3409
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Anthony Joseph Messina -
Miroslav Grepl -
Stephen Ingram