Re: SMTP-AUTH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Griffiths wrote:
> I am trying to use dovecot with postfix to provide smtp-auth. The
> instructions provided by postfix http://www.postfix.org/SASL_README.html
> works perfectly in Fedora Core 6.
> 
> Using the exact same procedure in Fedora 7 results in some conflicts
> between dovecot_auth_t and postfix_private_t. Since using Dovecot for
> SASL smtp-auth is the preferred way according to Postfix, I suspect
> there must be something I am missing or maybe there is an oversight in
> the policies.
> 
> Using sealert -l on the denial for dovecot results in:
> 
>    Summary
>        SELinux is preventing /usr/libexec/dovecot/dovecot-auth
>    (dovecot_auth_t)
>        "write" to auth (postfix_private_t).
> 
>    Detailed Description
>        SELinux denied access requested by
>    /usr/libexec/dovecot/dovecot-auth. It is
>        not expected that this access is required by
>    /usr/libexec/dovecot/dovecot-
>        auth and this access may signal an intrusion attempt. It is also
>    possible
>        that the specific version or configuration of the application is
>    causing it
>        to require additional access.
> 
>    Allowing Access
>        Sometimes labeling problems can cause SELinux denials.  You
>    could try to
>        restore the default system file context for auth, restorecon -v
>    auth If this
> 
>        does not work, there is currently no automatic way to allow this
>    access.
>        Instead,  you can generate a local policy module to allow this
>    access - see
>        http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you
>    can disable
>        SELinux protection altogether. Disabling SELinux protection is not
>        recommended. Please file a
>    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> 
>        against this package.
> 
>    Additional Information
> 
>    Source Context                system_u:system_r:dovecot_auth_t
>    Target Context                root:object_r:postfix_private_t
>    Target Objects                auth [ sock_file ]
>    Affected RPM Packages         dovecot-1.0.5-15.fc7 [application]
>    Policy RPM                    selinux-policy-2.6.4-48.fc7
>    Selinux Enabled               True
>    Policy Type                   targeted
>    MLS Enabled                   True
>    Enforcing Mode                Enforcing
>    Plugin Name                   plugins.catchall_file
>    Host Name                     gei.internal.grifent.com
>    Platform                      Linux gei.internal.grifent.com
>    2.6.23.1-10.fc7 #1
>                                  SMP Fri Oct 19 15:39:08 EDT 2007 i686 i686
>    Alert Count                   2
>    First Seen                    Wed Oct 31 03:39:55 2007
>    Last Seen                     Wed Oct 31 11:55:12 2007
>    Local ID                      8b0a6068-b654-4151-b82e-c149d3b9d57b
>    Line Numbers
> 
>    Raw Audit Messages
> 
>    avc: denied { write } for comm="dovecot-auth" dev=dm-0 egid=0 euid=0
>    exe="/usr/libexec/dovecot/dovecot-auth" exit=-13 fsgid=0 fsuid=0
>    gid=0 items=0
>    name="auth" pid=2545 scontext=system_u:system_r:dovecot_auth_t:s0 sgid=0
>    subj=system_u:system_r:dovecot_auth_t:s0 suid=0 tclass=sock_file
>    tcontext=root:object_r:postfix_private_t:s0 tty=(none) uid=0
> 
> Dovecot writes a socket to /var/spool/postfix/private/auth with
> permissions of 660. This is done when dovecot starts and on FC6, the
> files is transitioned to be owned by postfix with a group of postfix.The
> transition of owner/group does not happen of Fedora 7.
> 
> The auth socket is necessary to do smtp-auth.
> 
> Did I miss something in the configuration on Fedora 7?
> 
> Regards,
> John
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Should be fixed in selinux-policy-2.6.4-57.fc7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHOhqcrlYvE4MpobMRAp7rAJoDiFjYZt2usUQic+pTuqyWJq0qrwCfc29Z
pNpS5Lco7hbv4uKffJhUjIQ=
=MhZ2
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux