postfix sasl denials

Daniel J Walsh dwalsh at redhat.com
Thu Mar 27 15:19:48 UTC 2014 

chcon -t postfix_smtpd_tmp_t /var/tmp/smtp*

Should fix the problem.


On 03/25/2014 08:29 AM, Natxo Asenjo wrote:
> hi,
>
> when trying to relay e-mail using SASL authentication on a ipa centos
> domain I get this this on audit.log:
>
> type=AVC msg=audit(1395749719.107:875): avc:  denied  { unlink } for 
> pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669
> scontext=unconfined_u:system_r:postfix_smtpd_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> type=AVC msg=audit(1395749719.109:876): avc:  denied  { getattr } for 
> pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669
> scontext=unconfined_u:system_r:postfix_smtpd_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> type=AVC msg=audit(1395749719.109:877): avc:  denied  { unlink } for 
> pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669
> scontext=unconfined_u:system_r:postfix_smtpd_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> type=AVC msg=audit(1395749719.110:878): avc:  denied  { getattr } for 
> pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669
> scontext=unconfined_u:system_r:postfix_smtpd_t:s0
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>
>
> de local user postfix is indeed id 89. In /var/tmp/smtp_89 I have the
> kerberos ticket that the relay server is using
> (smtp/testsmtprelay.sub.domain.tld at SUB.DOMAIN.TLD)
>
> $ sudo ls -Z /var/tmp/
> -rw-------. root    root    system_u:object_r:krb5_host_rcache_t:s0 host_0
> -rw-------. postfix postfix unconfined_u:object_r:user_tmp_t:s0 smtp_89
>
> if i set selinux in permissive mode, I may relay using sasl, otherwise
> it gets blocked.
>
> Any clues on how to fix this to keep selinux enabled?
>
> TIA,
>
> --
> Groeten,
> natxo
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140327/294daa86/attachment.html>

More information about the selinux mailing list