Re: LMTP, Postfix, Dovecot AVC denial

Dominick Grift <domg472@xxxxxxxxx> · Sun, 28 Aug 2011 11:15:46 +0200

Could be a bug in Fedora SELinux policy (any). To fix:

mkdir ~/mypostfix; cd ~/mypostfix;
echo "policy_module(mypostfix, 1.0.0) optional_policy(\` gen_require(\`
type postfix_smtp_t; ') dovecot_stream_connect(postfix_smtp_t)')" >
mypostfix.te;

make -f /usr/share/selinux/devel/Makefile mypostfix.pp
sudo semodule -i mypostfix.pp

Please consider filing a bugzilla in the selinux-policy component.

On Sun, 2011-08-28 at 01:07 +0200, Jens Falsmar Oechsler wrote:
> On August 28, 2011 at 1:03 AM Jens Falsmar Oechsler <joe@xxxxxxxxxx> wrote:
> 
> > Hello
> >  
> > Getting errors below when using Postfix with LMTP deliver to Dovecot on same
> > machine. Should Dovecot configure LMTP in another path, context or how do I
> > resolve?   
> >  
> > type=AVC msg=audit(1314483455.100:17918): avc:  denied  { search } for 
> > pid=6665
> > comm="lmtp" name="dovecot" dev=vda1 ino=1051484
> > scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system
> > _u:object_r:dovecot_var_run_t:s0 tclass=dir
> > type=AVC msg=audit(1314483455.100:17918): avc:  denied  { write } for 
> > pid=6665
> > comm="lmtp" name="lmtp" dev=vda1 ino=1044670
> > scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:o
> > bject_r:dovecot_var_run_t:s0 tclass=sock_file
> > type=AVC msg=audit(1314483455.100:17918): avc:  denied  { connectto } for 
> > pid=6665 comm="lmtp" path="/var/run/dovecot/lmtp"
> > scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:s
> > ystem_r:dovecot_t:s0 tclass=unix_stream_socket
> > type=SYSCALL msg=audit(1314483455.100:17918): arch=c000003e syscall=42
> > success=yes exit=0 a0=e a1=7fff1e9e21d0 a2=6e a3=7fff1e9e1e70 items=0
> > ppid=1177
> > pid=6665 auid=4294967295 uid=89 gid=89
> >  euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295
> > comm="lmtp" exe="/usr/libexec/postfix/lmtp"
> > subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
> >  
> > Thanks in advance 
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>  
> Should mention it is Fedora 14 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc

Description: This is a digitally signed message part
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux