LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   qmail on RHEL 6 [selinux enabled] (https://www.linuxquestions.org/questions/linux-server-73/qmail-on-rhel-6-%5Bselinux-enabled%5D-927883/)

fritz001 02-06-2012 06:46 AM
qmail on RHEL 6 [selinux enabled]
 
Hello everyone,

i just try to migrate a mail server from RHEL 5 to RHEL 6.

after i've managed to install and tested everything is OK... except the fact selinux is disabled.

now, when i'm enabling selinux everything is fucked up: NOTHING is working.

My question is: did someone make qmail to work on enforced mode selinux on rhel 6 ?

or.. do i have to damage my brain to create selinux policies ?

rgdacosta 02-06-2012 07:38 AM
What does the AVC say?

fritz001 02-06-2012 07:58 AM
well, toooooooo many errors:

vpopmail, dovecot, daemontools....

P.S. all my services are started by daemontools

/service/{dovecot, qmail-send, qmail-smtpd, qmail-tls, qmail-ssl}
/usr/bin/_binary_ucspi_ssl
/usr/bin/_binary_ucspi_tcp

/command/_symlinks_to /usr/bin/.....

strange is : on rhel 5 i didn't have to create any selinux rules, except qmailadmin....

fritz001 02-06-2012 02:18 PM
so.... so far I've managed to create a selinux policy for dovecot & vpopmail...

John VV 02-06-2012 03:21 PM
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing

fritz001 02-06-2012 05:55 PM
Quote:
Originally Posted by John VV (Post 4595366)
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing

yep, based on audit2allow i've created the policy for dovecot& vpopmail....

so far looks OK....
qmail & daemontools.... looks a little more challenging...

rhbegin 02-06-2012 07:39 PM
do a rpm -q setroubleshoot

If it is not installed install it.

then do a # sealert -a /var/log/audit/audit.log | less
you can view all of the alerts issued and view errors and do exceptions and/or create policies

fritz001 02-07-2012 06:21 AM
After quite along work, qmail is working flawless on rhel 6 [ enforced selinux ]

rhbegin 02-07-2012 12:02 PM
What types of policies did you implement were they created and exceptions made from the alerts?

fritz001 02-08-2012 02:12 AM
Quote:
Originally Posted by rhbegin (Post 4596197)
What types of policies did you implement were they created and exceptions made from the alerts?
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies

However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...

e.g: on rhel 6 imap [ issue]

. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};

but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir reparent};

sometimes... i really hate redhat...

rhbegin 02-09-2012 10:03 AM
Quote:
Originally Posted by fritz001 (Post 4596814)
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies

However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...

e.g: on rhel 6 imap [ issue]

. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};

but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir reparent};

sometimes... i really hate redhat...
Thank you for the update, I did not know the 6 to 6.2 update would make the selinux policies disappear.

I need to make sure I do a complete inventory on the files/policy changes for now on.

That could really sink your ship in production from a simple 'update'.

thanks for sharing this


All times are GMT -5. The time now is 11:50 AM.