On Tuesday, December 23, 2014 12:44:19 PM Stephen Ingram wrote:
I'm using Fedora 20 and CentOS 7 and have tried several places to
place
keytab files for Postfix. Each time I'm getting a denied message:
type=AVC msg=audit(1419366895.530:491753): avc: denied { search } for
pid=28412 comm="lmtp" name="postfix" dev="xvda1"
ino=1223493
scontext=system_u:system_r:postfix_smtp_t:s0
tcontext=system_u:object_r:postfix_data_t:s0 tclass=dir type=SYSCALL
msg=audit(1419366895.530:491753): arch=c000003e syscall=4 success=no
exit=-13 a0=7f347b8377f0 a1=7fffa6f23670 a2=7fffa6f23670 a3=7fffa6f23540
items=0 ppid=28406 pid=28412 auid=4294967295 uid=89 gid=89 euid=89 suid=89
fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="lmtp"
exe="/usr/libexec/postfix/lmtp" subj=system_u:system_r:postfix_smtp_t:s0
key=(null)
I see on the postfix_selinux man page that there is a postfix_keytab_t type,
however, even if I use this, postfix is not able to read the credential
file. Has anyone gotten this to work?
Steve
Steve, I've used the following on my Postfix server (now using Fedora 21) for
a number of years without issue.
$ ls -lZ /etc/postfix/*keytab
-rw-r-----. root postfix system_u:object_r:postfix_etc_t:s0
/etc/postfix/smtp.keytab
And in /etc/postfix/main.cf
...
# Import environment for Kerberos v5 GSSAPI
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
KRB5_KTNAME=/etc/postfix/smtp.keytab
--
Anthony -
https://messinet.com/ -
https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E