On Tue, Dec 06, 2016 at 11:29:21AM +0000, Robert Sharp wrote:
> I am running ddclient on my router together with a relaying postfix
> server. Unfortunately I have configured ddclient to send emails when it
> has problems and I have had quite a few problems with AVCs as a result.
> I have figured most of them out now but there is one that I am stuck
> on.
>
> It appears that sendmail (postfix variant) calls postdrop to actually
> deliver the emails, and using the
> postfix_domtrans_user_mail_handler(ddclient_t)
> interface fixes most of the AVCs except two, and this is where I am
> stuck. Here is the ausearch output:
>
[...]
> type=AVC msg=audit(1481006916.953:34919): avc: denied { read write }
> for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
> ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
> tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket
> permissive=1
> ----
> time->Tue Dec 6 06:48:36 2016
> type=AVC msg=audit(1481006916.965:34920): avc: denied { getattr }
> for pid=24965 comm="postdrop" path="socket:[2916040]" dev="sockfs"
> ino=2916040 scontext=system_u:system_r:postfix_postdrop_t
> tcontext=system_u:system_r:ddclient_t tclass=unix_stream_socket
> permissive=1
>
> The command "postdrop -r" reads a message from stdin and writes a
> response to stdout. I am guessing these socket permissions are to do
> with piping stdout back to sendmail (running in ddclient_t), but I
> would have expected a fifo_file on a pipe rather than a socket? I can
> always check this with the postfix forum if needed.
It's been a while that I did some Postfix work, which might be necessary to
debug this properly. The socket is owned by ddclient, is it possible that
"postdrop -r" input and/or output is redirected to a ddclient socket? From a
quick Google ddclient is shown as a Perl client, so some code scanning might
help to find out what the socket is about.
If so, then you might need to grant access (but might want to grant it only
to sock_file).
Wkr,
Sven Vermeulen
