On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:
On Fri, 2006-07-07 at 16:34 -0400, redhatdude@bellsouth.net wrote:
Hi, While trying to set up a mail cgi script, I discovered that Selinux is not allowing relaying mail from anything but postfix. I realized this when I turned off selinux and I started getting the result of cron jobs and other similar system emails. So my question is , how can I make selinux allow programs other than postfix and cyrus to relay emails?
Can you post the AVC messages you are getting when mail from cron is being blocked by SELinux?
Paul.
Hi, Here it is. Thanks for you help. EJ
type=AVC_PATH msg=audit(1152547081.207:3467): path="/var/lib/imap/ socket/lmtp" type=SOCKADDR msg=audit(1152547081.207:3467): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D7470000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000 type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b a1=bfc966ec a2=6e type=PATH msg=audit(1152547081.207:3467): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0 type=AVC msg=audit(1152547081.303:3468): avc: denied { connectto } for pid=31220 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1 pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/ libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547081.303:3468): path="/var/lib/imap/ socket/lmtp" type=SOCKADDR msg=audit(1152547081.303:3468): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D7470000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000 type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b a1=bffc5a1c a2=6e type=PATH msg=audit(1152547081.303:3468): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0
This is the message I get when I try to run a mail form cgi script, which is why I realized that I was having problems with my system sending mail.
type=AVC msg=audit(1152547494.882:3475): avc: denied { getattr } for pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322 scontext=user_u:system_r:postfix_postdrop_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/ usr/sbin/postdrop" subj=user_u:system_r:postfix_postdrop_t:s0 type=AVC_PATH msg=audit(1152547494.882:3475): path="pipe:[165322]" type=AVC msg=audit(1152547495.010:3476): avc: denied { connectto } for pid=31274 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1 pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/ libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547495.010:3476): path="/var/lib/imap/ socket/lmtp" type=SOCKADDR msg=audit(1152547495.010:3476): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D7470000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 0000000000 type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b a1=bffb520c a2=6e type=PATH msg=audit(1152547495.010:3476): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0
redhatdude@bellsouth.net wrote:
On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:
On Fri, 2006-07-07 at 16:34 -0400, redhatdude@bellsouth.net wrote:
Hi, While trying to set up a mail cgi script, I discovered that Selinux is not allowing relaying mail from anything but postfix. I realized this when I turned off selinux and I started getting the result of cron jobs and other similar system emails. So my question is , how can I make selinux allow programs other than postfix and cyrus to relay emails?
Can you post the AVC messages you are getting when mail from cron is being blocked by SELinux?
Paul.
Hi, Here it is. Thanks for you help. EJ
Sorry I was away on Vacation.
type=AVC_PATH msg=audit(1152547081.207:3467): path="/var/lib/imap/socket/lmtp" type=SOCKADDR msg=audit(1152547081.207:3467): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b a1=bfc966ec a2=6e type=PATH msg=audit(1152547081.207:3467): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0 type=AVC msg=audit(1152547081.303:3468): avc: denied { connectto } for pid=31220 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1 pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547081.303:3468): path="/var/lib/imap/socket/lmtp"
I am not sure what lmtp is but is looks like it does not have a domain around it so you will probably need to add this rule,
type=SOCKADDR msg=audit(1152547081.303:3468): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b a1=bffc5a1c a2=6e type=PATH msg=audit(1152547081.303:3468): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0
This is the message I get when I try to run a mail form cgi script, which is why I realized that I was having problems with my system sending mail.
type=AVC msg=audit(1152547494.882:3475): avc: denied { getattr } for pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322 scontext=user_u:system_r:postfix_postdrop_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197 success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90 fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop" subj=user_u:system_r:postfix_postdrop_t:s0 type=AVC_PATH msg=audit(1152547494.882:3475): path="pipe:[165322]"
not sure why postdrop wants to talk to a fifo file owned by apache?
type=AVC msg=audit(1152547495.010:3476): avc: denied { connectto } for pid=31274 comm="lmtp" name="lmtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1 pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_master_t:s0 type=AVC_PATH msg=audit(1152547495.010:3476): path="/var/lib/imap/socket/lmtp" type=SOCKADDR msg=audit(1152547495.010:3476): saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b a1=bffb520c a2=6e type=PATH msg=audit(1152547495.010:3476): item=0 name=(null) inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cyrus_var_lib_t:s0
--
I would suggest you turn off enforcing mode and generate all the AVC messages. Then use audit2allow to generate a loadable policy module.
audit2allow -M imtp -i /var/log/messages semodule -i impt.pp
Then someone can convince me or upstream to add the policy. :^)
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org