Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 453990 - mail-mta/postfix-2.9.4 with sec-policy/selinux-postfix-2.20120725-r11: warning: smtp_connect_addr bind Permission denied
Summary: mail-mta/postfix-2.9.4 with sec-policy/selinux-postfix-2.20120725-r11: warnin...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r12
Depends on:
Reported: 2013-01-25 13:18 UTC by Vincent Brillault
Modified: 2013-03-29 10:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2013-01-25 13:18:47 UTC
I noticed a new avc deny on my server:
avc:  denied  { node_bind } for  pid=7620 comm="smtp" saddr=<local_ipv6> ipaddr=<some_ipv4> scontext=staff_u:system_r:postfix_smtp_t tcontext=system_u:object_r:node_t tclass=tcp_socket

(the staff_u probably comes from the fact that I restarted the service, right ?)

In the postfix logs, I can see the following warning when a mail goes out directly to some IPv6-enabled SMTP server:
postfix/smtpd[7616]: connect from <known_authorized_host>
postfix/smtpd[7616]: Anonymous TLS connection established from <known_authorized_host>: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
postfix/smtpd[7616]: <QueueID>: client=<known_authorized_host>
postfix/cleanup[7619]: <QueueID>:  message-id=.....
postfix/qmgr[25069]: <QueueID>: from=<...>, size=..., nrcpt=.. (queue active)
postfix/smtpd[7616]: disconnect from <known_authorized_host>
postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied
postfix/smtp[7620]: <QueueID>: to=<....>, relay=...[distant_ipv6]:25, delay=.., delays=..., dsn=2.0.0, status=sent (...)
postfix/qmgr[25069]: <QueueID>: removed

Looking at the src/smtp/smtp_connect.c in the postfix sources, I read:
     * Allow the sysadmin to specify the source address, for example, as "-o
     * smtp_bind_address=x.x.x.x" in the file.
[... I do not specify it ...]
     * When running as a virtual host, bind to the virtual interface so that
     * the mail appears to come from the "right" machine address.
     * XXX The IPv6 patch expands the null host (as client endpoint) and uses
     * the result as the loopback address list.
    else {
[...code containing a bind and a msg_warn corresponding to my warning...]

After adding the following rule, I saw no more warning in (avc|mail).log:
''allow postfix_smtp_t node_t:tcp_socket node_bind;''
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-27 13:39:12 UTC
Great bug report! I've added in a corenet_tcp_bind_generic_node(postfix_smtp_t) in the policies. Will be in r12 as well.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-09 12:43:02 UTC
rev 12 in main tree, ~arch'ed
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-29 10:55:32 UTC