I am trying to use dovecot with postfix to provide smtp-auth. The
instructions provided by postfix http://www.postfix.org/SASL_README.html
works perfectly in Fedora Core 6.
Using the exact same procedure in Fedora 7 results in some conflicts
between dovecot_auth_t and postfix_private_t. Since using Dovecot for
SASL smtp-auth is the preferred way according to Postfix, I suspect
there must be something I am missing or maybe there is an oversight in
the policies.
Using sealert -l on the denial for dovecot results in:
Summary
SELinux is preventing /usr/libexec/dovecot/dovecot-auth
(dovecot_auth_t)
"write" to auth (postfix_private_t).
Detailed Description
SELinux denied access requested by
/usr/libexec/dovecot/dovecot-auth. It is
not expected that this access is required by
/usr/libexec/dovecot/dovecot-
auth and this access may signal an intrusion attempt. It is also
possible
that the specific version or configuration of the application is
causing it
to require additional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You
could try to
restore the default system file context for auth, restorecon -v
auth If this
does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this
access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
can disable
SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this package.
Additional Information
Source Context system_u:system_r:dovecot_auth_t
Target Context root:object_r:postfix_private_t
Target Objects auth [ sock_file ]
Affected RPM Packages dovecot-1.0.5-15.fc7 [application]
Policy RPM selinux-policy-2.6.4-48.fc7
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name gei.internal.grifent.com
Platform Linux gei.internal.grifent.com
2.6.23.1-10.fc7 #1
SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
Alert Count 2
First Seen Wed Oct 31 03:39:55 2007
Last Seen Wed Oct 31 11:55:12 2007
Local ID 8b0a6068-b654-4151-b82e-c149d3b9d57b
Line Numbers
Raw Audit Messages
avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0
exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0
gid=0 items=0
name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0
subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file
tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0
Dovecot writes a socket to /var/spool/postfix/private/auth with
permissions of 660. This is done when dovecot starts and on FC6, the
files is transitioned to be owned by postfix with a group of postfix.The
transition of owner/group does not happen of Fedora 7.
The auth socket is necessary to do smtp-auth.
Did I miss something in the configuration on Fedora 7?
Regards,
John
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
