Selinux Postfix rpm problems

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Selinux Postfix rpm problems

lists-3
I have installed a new Centos 5.2 server, with Centos's Postfix as a
default MTA;

I then built and installed a Postfix rpm using Simon Mudd's srpm as:
postfix-2.5.2-1.pcre.mysql.sasl2.rhel5.i386.rpm

but, I get these Selinux issues as per log entries below:

what's the best way of setting this up?

# service postfix start
Starting postfix:                                          [  OK  ]
# service postfix status
master is stopped

# egrep '(warning|error|fatal|panic):' /var/log/maillog

Aug 14 10:07:36 centos postfix/master[1108]: fatal: open lock file
/var/lib/postfix/master.lock: cannot create file exclusively: Permission
denied

tail /var/log/messages

Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/examples (postfix_etc_t). For
complete SELinux messages. run sealert -l
42823333-656b-4947-94a8-6359add5545a
Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/html (postfix_etc_t). For
complete SELinux messages. run sealert -l
546e2c29-d462-4cba-b7d5-533a2793227d
Aug 14 10:07:39 centos setroubleshoot: SELinux is preventing find
(postfix_master_t) "getattr" to /etc/postfix/readme (postfix_etc_t). For
complete SELinux messages. run sealert -l
131f678a-897d-410b-a008-83ce2eb5e454
....followed by more of similar ...


# sealert -l 42823333-656b-4947-94a8-6359add5545a

Summary:

SELinux is preventing find (postfix_master_t) "getattr" to
/etc/postfix/examples
(postfix_etc_t).

Detailed Description:

SELinux denied access requested by find. It is not expected that this
access is required by find and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of
the application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to
restore the default system file context for /etc/postfix/examples,

restorecon -v '/etc/postfix/examples'

If this does not work, there is currently no automatic way to allow this
access. Instead, you can generate a local policy module to allow this
access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:postfix_master_t
Target Context                system_u:object_r:postfix_etc_t
Target Objects                /etc/postfix/examples [ lnk_file ]
Source                        find
Source Path                   /usr/bin/find
Port                          <Unknown>
Host                          centos.sbt.net.au
Source RPM Packages           findutils-4.2.27-4.1
Target RPM Packages           postfix-2.5.2-1.pcre.mysql.sasl2.rhel5
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     centos.sbt.net.au
Platform                      Linux centos.sbt.net.au 2.6.18-92.el5 #1 SMP
Tue
                              Jun 10 18:49:47 EDT 2008 i686 i686
Alert Count                   9
First Seen                    Wed Aug 13 00:07:23 2008
Last Seen                     Thu Aug 14 10:07:36 2008
Local ID                      42823333-656b-4947-94a8-6359add5545a
Line Numbers

Raw Audit Messages

host=centos.sbt.net.au type=AVC msg=audit(1218672456.745:45945): avc:
denied  { getattr } for  pid=1092 comm="find" path="/etc/postfix/examples"
dev=dm-0 ino=36700221 scontext=root:system_r:postfix_master_t:s0
tcontext=system_u:object_r:postfix_etc_t:s0 tclass=lnk_file

host=centos.sbt.net.au type=SYSCALL msg=audit(1218672456.745:45945):
arch=40000003 syscall=196 success=no exit=-13 a0=8f29467 a1=bfbdb218
a2=6e0ff4 a3=bfbdb218 items=0 ppid=1081 pid=1092 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8141 comm="find"
exe="/usr/bin/find" subj=root:system_r:postfix_master_t:s0 key=(null)


# postconf -m
btree
cidr
environ
hash
ldap
mysql
nis
pcre
proxy
regexp
static
unix

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.5.2-documentation/html
inet_interfaces = localhost
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.2-documentation/readme
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550




--
Voytek

Reply | Threaded
Open this post in threaded view
|

Re: Selinux Postfix rpm problems

Barney Desmond
2008/8/14 Voytek Eymont <[hidden email]>:
> I then built and installed a Postfix rpm using Simon Mudd's srpm as:
> postfix-2.5.2-1.pcre.mysql.sasl2.rhel5.i386.rpm

I know zero about this particular SRPM, but it's doing things
differently to what's expected (Centos' wouldn't ship with an SElinux
policy that doesn't work with the stock postfix, of course).

> but, I get these Selinux issues as per log entries below:
>
> SELinux is preventing find (postfix_master_t) "getattr" to
> /etc/postfix/examples
> (postfix_etc_t).
>
> Source Context                root:system_r:postfix_master_t
> Target Context                system_u:object_r:postfix_etc_t
> Target Objects                /etc/postfix/examples [ lnk_file ]
> Source                        find
> Source Path                   /usr/bin/find
> Port                          <Unknown>
> Host                          centos.sbt.net.au
> Source RPM Packages           findutils-4.2.27-4.1
> Target RPM Packages           postfix-2.5.2-1.pcre.mysql.sasl2.rhel5
> Policy RPM                    selinux-policy-2.4.6-137.1.el5
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall_file

The problem (well, one of them) with SElinux is that it's a pain to
troubleshoot unless you know exactly what the heck is going on. In
this case, postfix runs in the postfix_master_t context and is trying
to access files labelled with the postfix_etc_t type. And we still
don't know what's going on.

Thoughts:
* This might imply the files are mislabelled, in which case a
bug-report against the package would be warranted. However, my stock
Centos5 postfix works fine and the files are all postfix_etc_t (and
`ps auxfZ` shows master runs in postfix_master_t)
* Why _is_ postfix running 'find' over the /etc/postfix/ directory..?
* There might be some SElinux booleans you can frob that will make
things work (using setsebool)

We've got a little documentation on dealing with SElinux that might help you:
http://anchor.com.au/hosting/dedicated/SELinux_management

The audit2allow-and-semodule dance was quite popular on the
shared-hosting server, until we eventually scrapped SElinux for being
too much of a pain in the arse. It's nice if you can use it, but the
investment required becomes too high once you start deviating from the
packaged defaults.

-Barney Desmond