SELInux And POSTFIX
Installed Packages Name : postfix Arch : x86_64
Epoch : 2
Version : 2.6.6
Release : 6.el6_5
Size : 9.7 M
Repo : installed
I am seeing several of these in our maillog file after a restart of the Postfix service:
Apr 23 12:48:27 inet08 setroubleshoot: SELinux is preventing
/usr/libexec/postfix/smtp from ‘read, write’ accesses on the file 546AA6099F. For complete SELinux messages. run sealert -l b95663bb-12ce-4f34-9537-dd88a41359e5
sealert -l b95663bb-12ce-4f34-9537-dd88a41359e5
SELinux is preventing /usr/libexec/postfix/smtp from ‘read, write’ accesses on the file 546AA6099F.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that SMTP should be allowed read write access on the 546AA6099F
file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
# grep SMTP /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
grep 546AA6099F /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1398199187.646:29332): avc: denied { getattr } for pid#387 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398199187.646:29333): avc: denied { read write } for pid#387 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398199927.800:29411): avc: denied { getattr } for pid$131 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398199927.805:29412): avc: denied { read write } for pid$131 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398201500.778:29495): avc: denied { getattr } for pid%406 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398201500.779:29496): avc: denied { read write } for pid%406 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398204425.415:29681): avc: denied { getattr } for pid&964 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398204425.419:29682): avc: denied { read write } for pid&964 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398208625.418:29910): avc: denied { getattr } for pid)240 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398208625.419:29911): avc: denied { read write } for pid)240 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398212826.339:30139): avc: denied { getattr } for pid1325 comm=”smtp” path=”/var/spool/postfix/active/546AA6099F” dev=dm-0
ino95679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398212826.343:30140): avc: denied { read write } for pid1325 comm=”smtp” name=”546AA6099F” dev=dm-0 ino95679
scontext=unconfined_u:system_r:postfix_smtp_t:s0
tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1398217026.114:30368): avc: denied { getattr } for pid
3 thoughts on - SELInux And POSTFIX
Looks like this is allowed in rhel6.5 policy. You could try
selinux-policy-3.7.19-235.el6
on people.redhat.com/dwalsh/SELinux/RHEL6
yum –enablerepo=localfile update selinux\*
Loaded plugins: downloadonly, fastestmirror, priorities Loading mirror speeds from cached hostfile
* Webmin: download.webmin.com
* base: CentOS.mirror.rafal.ca
* epel: fedora.mirror.nexicom.net
* extras: mirror.netflash.net
* updates: mirror.csclub.uwaterloo.ca Setting up Update Process Resolving Dependencies
–> Running transaction check
—> Package selinux-policy.noarch 0:3.7.19-231.el6_5.1 will be updated
–> Processing Dependency: selinux-policy = 3.7.19-231.el6_5.1 for package:
selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
–> Processing Dependency: selinux-policy = 3.7.19-231.el6_5.1 for package:
selinux-policy-targeted-3.7.19-231.el6_5.1.noarch
—> Package selinux-policy.noarch 0:3.7.19-235.el6 will be an update
–> Finished Dependency Resolution Error: Package: selinux-policy-targeted-3.7.19-231.el6_5.1.noarch (@updates)
Requires: selinux-policy = 3.7.19-231.el6_5.1
Removing: selinux-policy-3.7.19-231.el6_5.1.noarch (@updates)
selinux-policy = 3.7.19-231.el6_5.1
Updated By: selinux-policy-3.7.19-235.el6.noarch (localfile)
selinux-policy = 3.7.19-235.el6
Available: selinux-policy-3.7.19-231.el6.noarch (base)
selinux-policy = 3.7.19-231.el6
You could try using –skip-broken to work around the problem You could try running: rpm -Va –nofiles –nodigest
I have these packages in /root/RPMS/repo/Packages:
total 3776
-rw-r–r–. 1 root root 69264 Apr 24 20:52 opendmarc-1.1.3-3.1.x86_64.rpm
-rw-r–r–. 1 root root 845052 Apr 23 16:41
selinux-policy-3.7.19-235.el6.noarch.rpm
-rw-r–r–. 1 root root 2946848 Apr 23 16:41
selinux-policy-targeted-3.7.19-235.el6.noarch.rpm
I have run ‘createrepo –database –update /root/RPMS/repo’
What do I not understand respecting performing this update?
I only noted this issue following implementation of an spf policy daemon with Postfix. However, that change was the reason I was looking at the log files to begin with so the situation may have been present for a very long time before that.
Did you download all of the file? BTW You can set up this directory as a REPO.