Linux - Server This forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
02-06-2012, 06:46 AM
#1
Member
Registered: Aug 2004
Posts: 176
Rep:
qmail on RHEL 6 [selinux enabled]
Hello everyone,
i just try to migrate a mail server from RHEL 5 to RHEL 6.
after i've managed to install and tested everything is OK... except the fact selinux is disabled.
now, when i'm enabling selinux everything is fucked up: NOTHING is working.
My question is: did someone make qmail to work on enforced mode selinux on rhel 6 ?
or.. do i have to damage my brain to create selinux policies ?
Last edited by fritz001; 02-06-2012 at 07:14 AM .
02-06-2012, 07:38 AM
#2
Member
Registered: Jun 2007
Location: South Africa
Distribution: Linux Mint,Fedora, openSUSE, RHEL, SLES, Scientific Linux
Posts: 71
Rep:
What does the AVC say?
02-06-2012, 07:58 AM
#3
Member
Registered: Aug 2004
Posts: 176
Original Poster
Rep:
well, toooooooo many errors:
vpopmail, dovecot, daemontools....
P.S. all my services are started by daemontools
/service/{dovecot, qmail-send, qmail-smtpd, qmail-tls, qmail-ssl}
/usr/bin/_binary_ucspi_ssl
/usr/bin/_binary_ucspi_tcp
/command/_symlinks_to /usr/bin/.....
strange is : on rhel 5 i didn't have to create any selinux rules, except qmailadmin....
02-06-2012, 02:18 PM
#4
Member
Registered: Aug 2004
Posts: 176
Original Poster
Rep:
so.... so far I've managed to create a selinux policy for dovecot & vpopmail...
02-06-2012, 03:21 PM
#5
LQ Muse
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,622
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing
02-06-2012, 05:55 PM
#6
Member
Registered: Aug 2004
Posts: 176
Original Poster
Rep:
Quote:
Originally Posted by
John VV
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing
yep, based on audit2allow i've created the policy for dovecot& vpopmail....
so far looks OK....
qmail & daemontools.... looks a little more challenging...
02-06-2012, 07:39 PM
#7
Member
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381
Rep:
do a rpm -q setroubleshoot
If it is not installed install it.
then do a # sealert -a /var/log/audit/audit.log | less
you can view all of the alerts issued and view errors and do exceptions and/or create policies
02-07-2012, 06:21 AM
#8
Member
Registered: Aug 2004
Posts: 176
Original Poster
Rep:
After quite along work, qmail is working flawless on rhel 6 [ enforced selinux ]
02-07-2012, 12:02 PM
#9
Member
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381
Rep:
What types of policies did you implement were they created and exceptions made from the alerts?
02-08-2012, 02:12 AM
#10
Member
Registered: Aug 2004
Posts: 176
Original Poster
Rep:
Quote:
Originally Posted by
rhbegin
What types of policies did you implement were they created and exceptions made from the alerts?
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies
However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...
e.g: on rhel 6 imap [ issue]
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};
but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir
reparent };
sometimes... i really hate redhat...
02-09-2012, 10:03 AM
#11
Member
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381
Rep:
Quote:
Originally Posted by
fritz001
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies
However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...
e.g: on rhel 6 imap [ issue]
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};
but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir reparent };
sometimes... i really hate redhat...
Thank you for the update, I did not know the 6 to 6.2 update would make the selinux policies disappear.
I need to make sure I do a complete inventory on the files/policy changes for now on.
That could really sink your ship in production from a simple 'update'.
thanks for sharing this
All times are GMT -5. The time now is 03:40 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News