SELInux Conflict With Postfixadmin

Home » CentOS » SELInux Conflict With Postfixadmin
CentOS 5 Comments

postfixadmin setup.php is claiming:

*Error: Smarty template compile directory templates_c is not writable.*
*Please make it writable.*
*If you are using SELinux or AppArmor, you might need to adjust their setup to allow write access.*

This goes away with ‘setenforce 0’, so it is an SELinux issue. I have tried both:

restorecon -Rv /usr/share/postfixadmin

and

chcon -R -t httpd_sys_content_t /usr/share/postfixadmin

and they are not the problem. Googling this message doe snot produce any SELinux advice.

Any ideas?

thanks

5 thoughts on - SELInux Conflict With Postfixadmin

  • Hi,

    after ‘setenforce 0’ check the /var/log/audit/audit.log:

    # grep /var/log/audit/audit.log | audit2why

    to see where the problem could be.

    //Zdenek

  • Don’t I need a search string in that grep command?

    Anyway the last three entries are:

    type=AVC msg=audit(1487695678.704:128): avc: denied { write } for pid 55 comm=”httpd” name=”templates_c” dev=”sda3″ inox6958
    scontext=system_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1

    type=SYSCALL msg=audit(1487695678.704:128): arch@000028 syscall3
    per

  • Playing around a little with this, I added templates_c as the grep string and got:

    type=AVC msg=audit(1487695678.704:128): avc: denied { write } for pid 55 comm=”httpd” name=”templates_c” dev=”sda3″ inox6958
    scontext=system_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir permissive=1

    Was caused by:
    The boolean httpd_unified was set incorrectly.
    Description:
    Allow httpd to unified

    Allow access by executing:
    # setsebool -P httpd_unified 1

    So I tried that, and the error went away. Going to have to add audit2why in my notes.

    thanks

  • If you want to allow apache processes to write to the templates_c directory you need to label it httpd_sys_content_rw_t.

  • Thanks!

    I undid the httpd_unified with:

    setsebool -P httpd_unified 0

    Then did

    chcon -R -t httpd_sys_content_rw_t /usr/share/postfixadmin/templates_c

    And SELinux appears to be happy.