LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-06-2012, 06:46 AM   #1
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Rep: Reputation: 18
Question qmail on RHEL 6 [selinux enabled]


Hello everyone,

i just try to migrate a mail server from RHEL 5 to RHEL 6.

after i've managed to install and tested everything is OK... except the fact selinux is disabled.

now, when i'm enabling selinux everything is fucked up: NOTHING is working.

My question is: did someone make qmail to work on enforced mode selinux on rhel 6 ?

or.. do i have to damage my brain to create selinux policies ?

Last edited by fritz001; 02-06-2012 at 07:14 AM.
 
Old 02-06-2012, 07:38 AM   #2
rgdacosta
Member
 
Registered: Jun 2007
Location: South Africa
Distribution: Linux Mint,Fedora, openSUSE, RHEL, SLES, Scientific Linux
Posts: 71

Rep: Reputation: 25
What does the AVC say?
 
Old 02-06-2012, 07:58 AM   #3
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Original Poster
Rep: Reputation: 18
well, toooooooo many errors:

vpopmail, dovecot, daemontools....

P.S. all my services are started by daemontools

/service/{dovecot, qmail-send, qmail-smtpd, qmail-tls, qmail-ssl}
/usr/bin/_binary_ucspi_ssl
/usr/bin/_binary_ucspi_tcp

/command/_symlinks_to /usr/bin/.....

strange is : on rhel 5 i didn't have to create any selinux rules, except qmailadmin....
 
Old 02-06-2012, 02:18 PM   #4
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Original Poster
Rep: Reputation: 18
so.... so far I've managed to create a selinux policy for dovecot & vpopmail...
 
Old 02-06-2012, 03:21 PM   #5
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,622

Rep: Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651Reputation: 2651
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing
 
Old 02-06-2012, 05:55 PM   #6
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by John VV View Post
have you done the "audit2allow"
on the logs ?
1)set SE to permissive
2)read and FIX the warnings
3)set SE to enforcing

yep, based on audit2allow i've created the policy for dovecot& vpopmail....

so far looks OK....
qmail & daemontools.... looks a little more challenging...
 
Old 02-06-2012, 07:39 PM   #7
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
do a rpm -q setroubleshoot

If it is not installed install it.

then do a # sealert -a /var/log/audit/audit.log | less
you can view all of the alerts issued and view errors and do exceptions and/or create policies
 
Old 02-07-2012, 06:21 AM   #8
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Original Poster
Rep: Reputation: 18
After quite along work, qmail is working flawless on rhel 6 [ enforced selinux ]
 
Old 02-07-2012, 12:02 PM   #9
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
What types of policies did you implement were they created and exceptions made from the alerts?
 
Old 02-08-2012, 02:12 AM   #10
fritz001
Member
 
Registered: Aug 2004
Posts: 176

Original Poster
Rep: Reputation: 18
Quote:
Originally Posted by rhbegin View Post
What types of policies did you implement were they created and exceptions made from the alerts?
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies

However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...

e.g: on rhel 6 imap [ issue]

. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};

but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir reparent};

sometimes... i really hate redhat...
 
Old 02-09-2012, 10:03 AM   #11
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Quote:
Originally Posted by fritz001 View Post
I just analyzed /var/log/audit/audit.log for avc errors ... and create the policies

However, I just upgraded my test machine from RHEL 6 to RHEL 6.2 and i had to recreate the policies...

e.g: on rhel 6 imap [ issue]

. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir};

but on rhel 6.2
. crete inbox.test1 [ok]
. delete inbox.test1 [FAIL] --> rule allow svc_run_t home_t:dir {rmdir reparent};

sometimes... i really hate redhat...
Thank you for the update, I did not know the 6 to 6.2 update would make the selinux policies disappear.

I need to make sure I do a complete inventory on the files/policy changes for now on.

That could really sink your ship in production from a simple 'update'.

thanks for sharing this
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SELINUX -- Enabled means BIND not working Why so?? anishkumarv Linux - Newbie 3 07-27-2011 06:23 PM
ntfs parition not mounting at startup if i enabled selinux in rhel 5? kingston Linux - Newbie 4 02-22-2010 11:29 PM
Is anyone running grsecurity with SELinux enabled? abefroman Linux - Security 1 04-17-2008 06:52 AM
how do i tell of selinux is enabled or not? sneakyimp Linux - Newbie 2 10-22-2007 07:13 PM
FollowSymLinks and SELinux enabled piforever Linux - Security 9 02-27-2006 10:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration