On Mon, Dec 29, 2014 at 2:25 AM, Miroslav Grepl <mgrepl(a)redhat.com> wrote:
On 12/23/2014 09:44 PM, Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4
success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670
a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89
euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
comm="lmtp" exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t
type, however, even if I use this, postfix is not able to read the
credential file. Has anyone gotten this to work?
Steve
What AVC do you get with the default setup?
We will need to add additional rules.
Sorry for the delay, I somehow misplaced your reply.
I'm not sure what you mean by default setup. There really is no default
setup that I know for Postfix using a Kerberos ticket. Considering the
dearth of postings of Kerberos installs on the Postfix list, I don't think
there are many people using it.
As I had to get something going, I just placed it in /run/user/postfix for
now. It's the only place I could find that I could get the
postfix_smtp_exec_t context I needed. I had previously stored this value in
/tmp, however, that was not a selinux system and probably not the most
secure place for them anyhow. I would think the best place for it would be
somewhere in /var/spool/postfix hierarchy as that is the home directory for
postfix.
Steve