Hi guys.I have a seemingly healthy, working postfix yet logs are full of denials, one specific denial, so I wonder if that is perhaps some misconfiguration on my part, although again, all seem to work.
Any/all thoughts are much appreciated. Thanks.
In short, that would be needed (at least)
#============= postfix_postdrop_t ==============
allow postfix_postdrop_t cluster_t:fifo_file { getattr write };
Long/full log:
SELinux is preventing /usr/sbin/postdrop from write access
on the fifo_file fifo_file.
***** Plugin leaks (86.2 confidence) suggests *****************************
If you want to ignore postdrop trying to write access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do# ausearch -x /usr/sbin/postdrop --raw | audit2allow -D -M my-postdrop
# semodule -X 300 -i my-postdrop.pp***** Plugin catchall (14.7 confidence) suggests **************************
If you believe that postdrop should be allowed write access on the fifo_file fifo_file by default.
Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'postdrop' --raw | audit2allow -M my-postdrop # semodule -X 300 -i my-postdrop.pp Additional Information: Source Context system_u:system_r:postfix_postdrop_t:s0 Target Context system_u:system_r:cluster_t:s0 Target Objects fifo_file [ fifo_file ] Source postdrop Source Path /usr/sbin/postdrop Port <Unknown> Host dzien.mine.priv Source RPM Packages postfix-3.5.25-1.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.1.58-1.el9.noarch Local Policy RPM selinux-policy-targeted-38.1.58-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dzien.mine.privPlatform Linux dzien.mine.priv 5.14.0-590.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 30 21:16:05 UTC 2025
x86_64 x86_64 Alert Count 80290 First Seen 2024-02-06 14:18:17 CET Last Seen 2025-06-17 18:04:13 CESTLocal ID 55748187-757f-4b1f-964f-28838a6a4e89
Raw Audit Messagestype=AVC msg=audit(1750176253.213:848448): avc: denied { write } for pid=831496 comm="postdrop" path="pipe:[65326834]" dev="pipefs" ino=65326834 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=fifo_file permissive=0
type=SYSCALL msg=audit(1750176253.213:848448): arch=x86_64 syscall=execve success=yes exit=0 a0=55f6a1e404c0 a1=55f6a1e404f0 a2=55f6a1e40f00 a3=55f6a1e40600 items=0 ppid=831493 pid=831496 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm=postdrop exe=/usr/sbin/postdrop subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)
Hash: postdrop,postfix_postdrop_t,cluster_t,fifo_file,write
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
