redhatdude(a)bellsouth.net wrote:
>
> On Jul 10, 2006, at 3:49 AM, Paul Howarth wrote:
>
>> On Fri, 2006-07-07 at 16:34 -0400, redhatdude(a)bellsouth.net wrote:
>>> Hi,
>>> While trying to set up a mail cgi script, I discovered that Selinux
>>> is not allowing relaying mail from anything but postfix. I realized
>>> this when I turned off selinux and I started getting the result of
>>> cron jobs and other similar system emails.
>>> So my question is , how can I make selinux allow programs other than
>>> postfix and cyrus to relay emails?
>>
>> Can you post the AVC messages you are getting when mail from cron is
>> being blocked by SELinux?
>>
>> Paul.
>>
>
Hi,
Here it is.
Thanks for you help.
EJ
Sorry I was away on Vacation.
type=AVC_PATH msg=audit(1152547081.207:3467):
path="/var/lib/imap/socket/lmtp"
type=SOCKADDR msg=audit(1152547081.207:3467):
saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547081.207:3467): nargs=3 a0=b
a1=bfc966ec a2=6e
type=PATH msg=audit(1152547081.207:3467): item=0 name=(null)
inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:cyrus_var_lib_t:s0
type=AVC msg=audit(1152547081.303:3468): avc: denied { connectto }
for pid=31220 comm="lmtp" name="lmtp"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1152547081.303:3468): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bffc5900 a2=f8e430 a3=f90c24 items=1
pid=31220 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89
egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp"
exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_master_t:s0
type=AVC_PATH msg=audit(1152547081.303:3468):
path="/var/lib/imap/socket/lmtp"
I am not sure what lmtp is but is looks
like it does not have a domain
around it so you will probably need to add this rule,
type=SOCKADDR msg=audit(1152547081.303:3468):
saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547081.303:3468): nargs=3 a0=b
a1=bffc5a1c a2=6e
type=PATH msg=audit(1152547081.303:3468): item=0 name=(null)
inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:cyrus_var_lib_t:s0
This is the message I get when I try to run a mail form cgi script,
which is why I realized that I was having problems with my system
sending mail.
type=AVC msg=audit(1152547494.882:3475): avc: denied { getattr }
for pid=31270 comm="postdrop" name="[165322]" dev=pipefs ino=165322
scontext=user_u:system_r:postfix_postdrop_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1152547494.882:3475): arch=40000003 syscall=197
success=no exit=-13 a0=2 a1=bfa6d7c0 a2=50aff4 a3=3 items=0 pid=31270
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=90 sgid=90
fsgid=90 tty=(none) comm="postdrop" exe="/usr/sbin/postdrop"
subj=user_u:system_r:postfix_postdrop_t:s0
type=AVC_PATH msg=audit(1152547494.882:3475): path="pipe:[165322]"
not
sure why postdrop wants to talk to a fifo file owned by apache?
type=AVC msg=audit(1152547495.010:3476): avc: denied { connectto }
for pid=31274 comm="lmtp" name="lmtp"
scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1152547495.010:3476): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bffb50f0 a2=4b1430 a3=4b3c24 items=1
pid=31274 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89
egid=89 sgid=89 fsgid=89 tty=(none) comm="lmtp"
exe="/usr/libexec/postfix/lmtp"
subj=system_u:system_r:postfix_master_t:s0
type=AVC_PATH msg=audit(1152547495.010:3476):
path="/var/lib/imap/socket/lmtp"
type=SOCKADDR msg=audit(1152547495.010:3476):
saddr=01002F7661722F6C69622F696D61702F736F636B65742F6C6D74700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1152547495.010:3476): nargs=3 a0=b
a1=bffb520c a2=6e
type=PATH msg=audit(1152547495.010:3476): item=0 name=(null)
inode=8585327 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:cyrus_var_lib_t:s0
--
I would suggest you turn off enforcing mode and generate all the AVC
messages. Then
use audit2allow to generate a loadable policy module.
audit2allow -M imtp -i /var/log/messages
semodule -i impt.pp
Then someone can convince me or upstream to add the policy. :^)
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list