-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Griffiths wrote: > I am trying to use dovecot with postfix to provide smtp-auth. The > instructions provided by postfix http://www.postfix.org/SASL_README.html > works perfectly in Fedora Core 6. > > Using the exact same procedure in Fedora 7 results in some conflicts > between dovecot_auth_t and postfix_private_t. Since using Dovecot for > SASL smtp-auth is the preferred way according to Postfix, I suspect > there must be something I am missing or maybe there is an oversight in > the policies. > > Using sealert -l on the denial for dovecot results in: > > Summary > SELinux is preventing /usr/libexec/dovecot/dovecot-auth > (dovecot_auth_t) > "write" to auth (postfix_private_t). > > Detailed Description > SELinux denied access requested by > /usr/libexec/dovecot/dovecot-auth. It is > not expected that this access is required by > /usr/libexec/dovecot/dovecot- > auth and this access may signal an intrusion attempt. It is also > possible > that the specific version or configuration of the application is > causing it > to require additional access. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You > could try to > restore the default system file context for auth, restorecon -v > auth If this > > does not work, there is currently no automatic way to allow this > access. > Instead, you can generate a local policy module to allow this > access - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you > can disable > SELinux protection altogether. Disabling SELinux protection is not > recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > > against this package. > > Additional Information > > Source Context system_u:system_r:dovecot_auth_t > Target Context root:object_r:postfix_private_t > Target Objects auth [ sock_file ] > Affected RPM Packages dovecot-1.0.5-15.fc7 [application] > Policy RPM selinux-policy-2.6.4-48.fc7 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.catchall_file > Host Name gei.internal.grifent.com > Platform Linux gei.internal.grifent.com > 2.6.23.1-10.fc7 #1 > SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686 > Alert Count 2 > First Seen Wed Oct 31 03:39:55 2007 > Last Seen Wed Oct 31 11:55:12 2007 > Local ID 8b0a6068-b654-4151-b82e-c149d3b9d57b > Line Numbers > > Raw Audit Messages > > avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0 > exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0 > gid=0 items=0 > name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0 > subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file > tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0 > > Dovecot writes a socket to /var/spool/postfix/private/auth with > permissions of 660. This is done when dovecot starts and on FC6, the > files is transitioned to be owned by postfix with a group of postfix.The > transition of owner/group does not happen of Fedora 7. > > The auth socket is necessary to do smtp-auth. > > Did I miss something in the configuration on Fedora 7? > > Regards, > John > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Should be fixed in selinux-policy-2.6.4-57.fc7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHOhqcrlYvE4MpobMRAp7rAJoDiFjYZt2usUQic+pTuqyWJq0qrwCfc29Z pNpS5Lco7hbv4uKffJhUjIQ= =MhZ2 -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
