I noticed a new avc deny on my server: avc: denied { node_bind } for pid=7620 comm="smtp" saddr=<local_ipv6> ipaddr=<some_ipv4> scontext=staff_u:system_r:postfix_smtp_t tcontext=system_u:object_r:node_t tclass=tcp_socket (the staff_u probably comes from the fact that I restarted the service, right ?) In the postfix logs, I can see the following warning when a mail goes out directly to some IPv6-enabled SMTP server: postfix/smtpd[7616]: connect from <known_authorized_host> postfix/smtpd[7616]: Anonymous TLS connection established from <known_authorized_host>: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) postfix/smtpd[7616]: <QueueID>: client=<known_authorized_host> postfix/cleanup[7619]: <QueueID>: message-id=..... postfix/qmgr[25069]: <QueueID>: from=<...>, size=..., nrcpt=.. (queue active) postfix/smtpd[7616]: disconnect from <known_authorized_host> postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied postfix/smtp[7620]: <QueueID>: to=<....>, relay=...[distant_ipv6]:25, delay=.., delays=..., dsn=2.0.0, status=sent (...) [...] postfix/qmgr[25069]: <QueueID>: removed Looking at the src/smtp/smtp_connect.c in the postfix sources, I read: [...] /* * Allow the sysadmin to specify the source address, for example, as "-o * smtp_bind_address=x.x.x.x" in the master.cf file. */ [... I do not specify it ...] /* * When running as a virtual host, bind to the virtual interface so that * the mail appears to come from the "right" machine address. * * XXX The IPv6 patch expands the null host (as client endpoint) and uses * the result as the loopback address list. */ else { [...code containing a bind and a msg_warn corresponding to my warning...] After adding the following rule, I saw no more warning in (avc|mail).log: ''allow postfix_smtp_t node_t:tcp_socket node_bind;''
Great bug report! I've added in a corenet_tcp_bind_generic_node(postfix_smtp_t) in the policies. Will be in r12 as well.
rev 12 in main tree, ~arch'ed
stabilized
