Re: SELinux and postfix

From: Victor Duchovni (no email)
Date: Tue Apr 08 2008 - 13:38:05 EDT

Next message: (no email): "Problem with spammers"

Previous message: Sandy Drobic: "Re: isp authentication problem continued"
Maybe in reply to: Anne Wilson: "SELinux and postfix"
Next in thread: Anne Wilson: "Re: SELinux and postfix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, Apr 08, 2008 at 01:23:18PM -0400, Victor Duchovni wrote:

> It would be rather ironic if (as I suspect) the security policy
> is tripping on file close() operations, with master(8) carefully
> relinquishing access to random open files it is invoked with.
>
> Perhaps processes running under KDE have an extra file descriptor
> inherited from the desktop environment.
>
> The postfix(1) program does not close "high" descriptors, it just sanitizes
> stdin/stdout/stderr, so master(8) may briefly see additional descriptors
> from the parent execution environment.

To test this hypothesis, try the following in a desktop terminal window
(presumably you were starting Postfix from such a window) running /bin/sh
or /bin/bash, .. not a CSH derivative.

# (sleep 2 & lsof -p $! ; wait) 2>/dev/null

I get:

  COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
  sleep 20258 root cwd DIR 8,1 4096 192593 /root
  sleep 20258 root rtd DIR 8,1 4096 2 /
  sleep 20258 root txt REG 8,1 12508 224533 /bin/sleep
  sleep 20258 root mem REG 8,1 106912 112445 /lib/ld-2.3.2.so
  sleep 20258 root mem REG 8,1 97712 272691 /lib/tls/libpthread-0.60.so
  sleep 20258 root mem REG 8,1 1571692 272692 /lib/tls/libc-2.3.2.so
  sleep 20258 root mem REG 8,1 47024 272694 /lib/tls/librtkaio-2.3.2.so
  sleep 20258 root mem REG 8,1 213484 272693 /lib/tls/libm-2.3.2.so
  sleep 20258 root 0u CHR 136,23 25 /dev/pts/23
  sleep 20258 root 1u CHR 136,23 25 /dev/pts/23
  sleep 20258 root 2u CHR 136,23 25 /dev/pts/23

So my "sleep" has just the 3 standard file descriptors. Likely yours has more.

-- 
	Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Next message: (no email): "Problem with spammers"

Previous message: Sandy Drobic: "Re: isp authentication problem continued"
Maybe in reply to: Anne Wilson: "SELinux and postfix"
Next in thread: Anne Wilson: "Re: SELinux and postfix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs