SELinux File Permissions

Home » CentOS » SELinux File Permissions
CentOS 5 Comments

Hi,

I’m trying to grant dovecot the ability to manage its socket within the postfix spool directory.

I have added the below to file_contexts.local :

/var/spool/postfix/private/dovecot-auth system_u:system_r:dovecot_t:s0

However, running “restorecon -v
/var/spool/postfix/private/dovecot-auth” gives me the following error
:

restorecon: lstat(/var/spool/postfix/private/dovecot-auth) failed:
No such file or directory

I cannot create the socket file in advance, because dovecot manages it, and if you “touch” the file, dovecot complains.

Where am I going wrong ?

Thanks !

Tim

5 thoughts on - SELinux File Permissions

  • Thanks for the pointer, will take a look down that route.

    Could you confirm the below is expected behaviour on CentOS ?

    # semanage fcontext -a -t my_postfixauth_private_t
    “/var/spool/postfix/private(/.*)?”
    ValueError: Type my_postfixauth_private_t is invalid, must be a file or device type

  • This last update caused numerous services to stop working for me. I
    fixed them with a relabel.

    touch /.autorelabel reboot

    Try that and see… Mike

  • Am 23.01.2017 um 23:44 schrieb Tim Smith:

    Did you define my_postfixauth_private_t yourself? And if so, why?

    All my sockets inside /var/spool/postfix/private/ have the type postfix_private_t. I don’t see why you think a non-standard type would fit. And postfix_private_t gets automatically assigned and a custom fcontext should not be necessary.

    Alexander

  • I just gave up in the end and did what you’re (apparently) not supposed to do …..

    fgrep dovecot_t /var/log/audit/audit.log | audit2allow

    The output moaned about base types, but googling that just led me into the murky depths of even more confusing selinux wizardry. So I gave up trying to fix that too…. by that point I had wasted three days trying to get Dovecot working and wasn’t about to waste another three figuring how to get around the “base types” complaints.

    I love the concept of selinux but boy do I wish the developers wouldn’t have made it quite so obscure and complicated to work with !!