On Mon, Dec 29, 2014 at 2:25 AM, Miroslav Grepl <mgrepl@xxxxxxxxxx> wrote:
What AVC do you get with the default setup?On 12/23/2014 09:44 PM, Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to place keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for pid=28412 comm="lmtp" name="postfix" dev="xvda1" ino=1223493 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:postfix_data_t:s0 tclass=dirtype=SYSCALL msg=audit(1419366895.530:491753): arch=c000003e syscall=4 success=no exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670 a3=7fffa6f23540 items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="lmtp" exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_smtp_t:s0 key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t type, however, even if I use this, postfix is not able to read the credential file. Has anyone gotten this to work?
Steve
We will need to add additional rules.
Sorry for the delay, I somehow misplaced your reply.
I'm not sure what you mean by default setup. There really is no default setup that I know for Postfix using a Kerberos ticket. Considering the dearth of postings of Kerberos installs on the Postfix list, I don't think there are many people using it.
As I had to get something going, I just placed it in /run/user/postfix for now. It's the only place I could find that I could get the postfix_smtp_exec_t context I needed. I had previously stored this value in /tmp, however, that was not a selinux system and probably not the most secure place for them anyhow. I would think the best place for it would be somewhere in /var/spool/postfix hierarchy as that is the home directory for postfix.
Steve
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
