hi,
when trying to relay e-mail using SASL authentication on a ipa centos domain I get this this on audit.log:
type=AVC msg=audit(1395749719.107:875): avc: denied { unlink } for pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.109:876): avc: denied { getattr } for pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.109:877): avc: denied { unlink } for pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.110:878): avc: denied { getattr } for pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
de local user postfix is indeed id 89. In /var/tmp/smtp_89 I have the kerberos ticket that the relay server is using (smtp/testsmtprelay.sub.domain.tld@SUB.DOMAIN.TLD)
$ sudo ls -Z /var/tmp/ -rw-------. root root system_u:object_r:krb5_host_rcache_t:s0 host_0 -rw-------. postfix postfix unconfined_u:object_r:user_tmp_t:s0 smtp_89
if i set selinux in permissive mode, I may relay using sasl, otherwise it gets blocked.
Any clues on how to fix this to keep selinux enabled?
TIA,
-- Groeten, natxo
chcon -t postfix_smtpd_tmp_t /var/tmp/smtp*
Should fix the problem.
On 03/25/2014 08:29 AM, Natxo Asenjo wrote:
hi,
when trying to relay e-mail using SASL authentication on a ipa centos domain I get this this on audit.log:
type=AVC msg=audit(1395749719.107:875): avc: denied { unlink } for pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.109:876): avc: denied { getattr } for pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.109:877): avc: denied { unlink } for pid=4229 comm="smtpd" name="smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1395749719.110:878): avc: denied { getattr } for pid=4229 comm="smtpd" path="/var/tmp/smtp_89" dev=dm-0 ino=265669 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
de local user postfix is indeed id 89. In /var/tmp/smtp_89 I have the kerberos ticket that the relay server is using (smtp/testsmtprelay.sub.domain.tld@SUB.DOMAIN.TLD)
$ sudo ls -Z /var/tmp/ -rw-------. root root system_u:object_r:krb5_host_rcache_t:s0 host_0 -rw-------. postfix postfix unconfined_u:object_r:user_tmp_t:s0 smtp_89
if i set selinux in permissive mode, I may relay using sasl, otherwise it gets blocked.
Any clues on how to fix this to keep selinux enabled?
TIA,
-- Groeten, natxo
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org