Re: Using postfix w/ mimedefang's Unix socket
Philip Prindeville: Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied Does the error go away if you turn off SeLinux? Wietse
Re: Using postfix w/ mimedefang's Unix socket
Philip Prindeville: I'm just wondering why the socket can't be opened before the set_ugid() drops the additional groups. smtpd(8) does not use set_ugid(), and it does not drop auxiliary group. Wietse
Re: Using postfix w/ mimedefang's Unix socket
On 12/3/11 7:15 AM, Wietse Venema wrote:
Philip Prindeville:
Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect
to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock:
Permission denied
Does the error go away if you turn off SeLinux?
Wietse
Could have sworn this SElinux issue was fixed a couple of years ago... it
either regressed or the patch never made it downstream from Fedora to Centos.
It goes away if I patch Mimedefang to fchmod() the UNIX socket to 0660, and put
the postfix in the defang group, and add the following policy:
module postfix 1.0;
require {
type postfix_smtpd_t;
type spamd_var_run_t;
class dir search;
}
#= postfix_smtpd_t ==
allow postfix_smtpd_t spamd_var_run_t:dir search;
Bugs (with fixes) have been filed against both issues.
-Philip
Re: Using postfix w/ mimedefang's Unix socket
On 12/2/11 2:19 PM, Wietse Venema wrote: Philip Prindeville: Would it make sense to add a parameter of additional gid's that you want smtpd to retain? Perhaps you can use a class inet socket on 127.0.0.1. That will have less impact on the Postfix security architecture. With 64k ports, you won't run out of them quickly. Wietse Yes, but I'd have to run a customized SElinux policy which I'm trying to avoid. I'm just wondering why the socket can't be opened before the set_ugid() drops the additional groups. That would make life a lot simpler. -Philip
