On Mon, Mar 29, 2021 at 04:06:51PM -0400, Viktor Dukhovni wrote:
> > On Mar 29, 2021, at 3:45 PM, Tomas Habarta <lists+post...@tocc.cz> wrote:
> >
> > 6663]: recvmsg(128, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\0",
> > iov_len=1}], msg_iovlen=1, msg_controllen=0, msg_flags=MSG_CTRUNC}, 0) = 1
> > [7141]: recvmsg(128, {msg_name=NULL, msg_namelen=0,
> > msg_iov=[{iov_base="\0", iov_len=1}], msg_iovlen=1,
> > msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, cmsg_type=SCM_RIGHTS,
> > cmsg_data=[15]}], msg_controllen=24, msg_flags=0}, 0) = 1
>
> This is the crucial difference the control message with the forwarded
> file descriptor is missing. The SELinxu system is reporting MSG_CTRUNC
> and a control length of 0. The fine manpage says:
>
> MSG_CTRUNC
> indicates that some control data was discarded due to lack of
> space in the buffer for ancillary data.
>
> But the issue is NOT lack of space, SELinux almost certainly censored
> the descriptor passing. See section 5.3.4 of:
>
>
> https://www.nsa.gov/Portals/70/documents/resources/everyone/digital-media-center/publications/research-papers/implementing-selinux-as-linux-security-module-report.pdf
>
> Or https://bugzilla.redhat.com/show_bug.cgi?id=1326502
>
> --
> Viktor.
>
I see, that makes sense, thanks for the explanation and references, definitely
something to read through. Hopefully I will find a systematic approach to a
solution there...
Think it's time to explore what the policy status is in Fedora as it ships with
Postfix > 3.4 (CentOS8 is currently at 3.3.1).
Tomas
