CentOS7 postfix install, selinux blocks cleanup

Question

I installed postfix successfully and when I start it as root/sudo with-

postfix start

...it runs unconfined and sends emails.

When I set it to automatically start at boot with-

systemctl enable postfix.service

...it starts up at boot time and runs fine but sending emails is blocked by selinux.

When sending an email, the log shows-

Jun  6 11:12:20 mainbox kernel: [ 1045.572306] type=1400 audit(1496761940.747:254): avc:  denied  { read write } for  pid=970 comm="cleanup" name="unix.cleanup" dev="xvda1" ino=131013 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun  6 11:12:20 mainbox kernel: [ 1045.592045] type=1300 audit(1496761940.747:254): arch=c000003e syscall=2 success=no exit=-13 a0=7f3eae371020 a1=2 a2=0 a3=3 items=0 ppid=811 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
Jun  6 11:12:20 mainbox kernel: type=1400 audit(1496761940.747:254): avc:  denied  { read write } for  pid=970 comm="cleanup" name="unix.cleanup" dev="xvda1" ino=131013 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
Jun  6 11:12:20 mainbox kernel: type=1300 audit(1496761940.747:254): arch=c000003e syscall=2 success=no exit=-13 a0=7f3eae371020 a1=2 a2=0 a3=3 items=0 ppid=811 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cleanup" exe="/usr/libexec/postfix/cleanup" subj=system_u:system_r:postfix_cleanup_t:s0 key=(null)
Jun  6 11:12:20 mainbox postfix/cleanup[970]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied
Jun  6 11:12:21 mainbox postfix/master[811]: warning: process /usr/libexec/postfix/cleanup pid 970 exit status 1
Jun  6 11:12:21 mainbox postfix/master[811]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling

So I used a2a to try and fix it but I get a warning that the new rule is too permissive-

grep 'postfix_cleanup_t' /var/log/audit/audit.log | audit2allow -m postfix_cleanup > postfix_cleanup.te
cat postfix_cleanup.te

Produces-

module postfix_cleanup 1.0;

require {
    type var_run_t;
    type postfix_cleanup_t;
    class file { read write };
}

#============= postfix_cleanup_t ==============

#!!!! WARNING: 'var_run_t' is a base type.
allow postfix_cleanup_t var_run_t:file { read write };

...allowing postfix to run all over a base type is too permissive.

How to correctly fix this?

Fixed: relabeling the filesystem `(restorecon -RF /)` was all that was needed. Wish I'd thought of that sooner. ;) — hotkarl, Jun 06 '17 at 16:05

Aaron · Answer 1 · 2017-06-06T19:48:35.703

0

Specific files in postfix missing context

There are a few bugs around this. Is your selinux policy fully updated?

Files losing context

If files are losing context, that is likely due to the restorecond service not running and files being moved around.

edited Jun 06 '17 at 19:48

answered Jun 06 '17 at 15:58

Aaron

2,859
2
12
30

Thanks- yes, looked at that. But it did need to be relabeled. – hotkarl Jun 06 '17 at 16:06
To get into that state usually requires that `restorecond` is not running and something moved files around. – Aaron Jun 06 '17 at 17:35

CentOS7 postfix install, selinux blocks cleanup

1 Answers1