On 12/2/11 8:23 PM, Philip Prindeville wrote: > On 12/2/11 2:19 PM, Wietse Venema wrote: >> Philip Prindeville: >>> Would it make sense to add a parameter of additional gid's that >>> you want smtpd to retain? >> >> Perhaps you can use a class "inet" socket on 127.0.0.1. That >> will have less impact on the Postfix security architecture. >> With 64k ports, you won't run out of them quickly. >> >> Wietse > > Yes, but I'd have to run a customized SElinux policy which I'm trying to > avoid. > > I'm just wondering why the socket can't be opened before the set_ugid() drops > the additional groups. > > That would make life a lot simpler. > > -Philip
Hmmmmm... Something else is going on here. Changed the permissions temporarily to leave the socket wide open, but it still fails: # ls -ld /var /var/spool /var/spool/MIMEDefang/ /var/spool//MIMEDefang/mimedefang.sock drwxr-xr-x. 21 root root 4096 Nov 16 07:35 /var drwxr-xr-x. 15 root root 4096 Nov 30 17:31 /var/spool drwxrwxrwx. 3 defang defang 4096 Nov 18 18:48 /var/spool/MIMEDefang/ srwxrwxrwx. 1 defang defang 0 Nov 18 18:48 /var/spool//MIMEDefang/mimedefang.sock # Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
