1 |
On Tue, Dec 06, 2016 at 11:29:21AM +0000, Robert Sharp wrote: |
2 |
> I am running ddclient on my router together with a relaying postfix |
3 |
> server. Unfortunately I have configured ddclient to send emails when it |
4 |
> has problems and I have had quite a few problems with AVCs as a result. |
5 |
> I have figured most of them out now but there is one that I am stuck |
6 |
> on. |
7 |
> |
8 |
> It appears that sendmail (postfix variant) calls postdrop to actually |
9 |
> deliver the emails, and using the |
10 |
> postfix_domtrans_user_mail_handler(ddclient_t) |
11 |
> interface fixes most of the AVCs except two, and this is where I am |
12 |
> stuck. Here is the ausearch output: |
13 |
> |
14 |
[...] |
15 |
> type=AVC msg=audit(1481006916.953:34919): avc: denied { read write } |
16 |
> for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs" |
17 |
> ino=2916040 scontext=system_u:system_r:postfix_postdrop_t |
18 |
> tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket |
19 |
> permissive=1 |
20 |
> ---- |
21 |
> time->Tue Dec 6 06:48:36 2016 |
22 |
> type=AVC msg=audit(1481006916.965:34920): avc: denied { getattr } |
23 |
> for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs" |
24 |
> ino=2916040 scontext=system_u:system_r:postfix_postdrop_t |
25 |
> tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket |
26 |
> permissive=1 |
27 |
> |
28 |
> The command "postdrop -r" reads a message from stdin and writes a |
29 |
> response to stdout. I am guessing these socket permissions are to do |
30 |
> with piping stdout back to sendmail (running in ddclient_t), but I |
31 |
> would have expected a fifo_file on a pipe rather than a socket? I can |
32 |
> always check this with the postfix forum if needed. |
33 |
|
34 |
It's been a while that I did some Postfix work, which might be necessary to |
35 |
debug this properly. The socket is owned by ddclient, is it possible that |
36 |
"postdrop -r" input and/or output is redirected to a ddclient socket? From a |
37 |
quick Google ddclient is shown as a Perl client, so some code scanning might |
38 |
help to find out what the socket is about. |
39 |
|
40 |
If so, then you might need to grant access (but might want to grant it only |
41 |
to sock_file). |
42 |
|
43 |
Wkr, |
44 |
Sven Vermeulen |