LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   postfix fails to start: AVC denial (https://www.linuxquestions.org/questions/linux-software-2/postfix-fails-to-start-avc-denial-671306/)

tonj 09-20-2008 06:08 PM
postfix fails to start: AVC denial
 
Fedora 8
postfix-2.4.5-2.fc8

I cannot start postfix, either from a terminal windows or in webmin. Computer keeps giving AVC denial all the time. I clicked for more info, here is what I got:

Summary
SELinux is preventing /usr/libexec/postfix/master (postfix_master_t) "read
write" to <Unknown> (var_run_t).

<snip>

Additional Information

Source Context system_u:system_r:postfix_master_t:s0
Target Context system_u:object_r:var_run_t:s0
Target Objects None [ file ]
Affected RPM Packages postfix-2.4.5-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name tonycorp.com
Platform Linux tonycorp.com 2.6.23.1-42.fc8 #1 SMP Tue Oct
30 13:55:12 EDT 2007 i686 athlon
Alert Count 7
First Seen Sat 20 Sep 2008 04:07:23 PM BST
Last Seen Sat 20 Sep 2008 11:19:30 PM BST
Local ID 5912257d-5b40-4c6f-b73c-9572ce859b95

I tried installing postfix 2.5 but the computer wouldn't have it, I kept getting fails. Being a newbie I'm not crash hot with Linux.
Thanks for any help on this.

billymayday 09-20-2008 06:22 PM
Did you install using yum or similar?

Do you have your mail files in some unusual location?

What files are causing the problem - presumably your logs tell you that.

Mr. C. 09-20-2008 09:23 PM
You might disable that SELinux hooey until you are knowledgeable in its use and find some demonstrable value in it, or at least until you get your services to work as intended.

tonj 09-21-2008 09:10 AM
to bill: my location is /etc/postfix/. I think that's what's supposed to be. Where would one find the logs you refer to?

billymayday 09-21-2008 03:56 PM
Quote:
Originally Posted by tonj (Post 3287230)
to bill: my location is /etc/postfix/. I think that's what's supposed to be. Where would one find the logs you refer to?
No mail files - the messages themselves.

Logs are in /var/log. I think selinux logs to "messages"

unSpawn 09-21-2008 06:03 PM
@tonj: /var/run is where daemon processes may commonly keep PID files, fifo's, sockets or lock files. Since Postfix has been in Fedora for a while it should have a well-developed policy by now. The "preventing /usr/libexec/postfix/master (postfix_master_t) "read write" to <Unknown> (var_run_t)" Sealert looks like a warning for a missing rule. How that happened I don't know. Since you snipped your message it's hard to tell what's missing. Maybe you could tell us a bit about how you installed it and where from?

While Sealert (setroubleshootd) gives you graphical alerts, SE Linux' Access Vector Cache (AVC) messages get logged in /var/log/audit/audit.log (unless you don't have the auditd package installed in which case they'll end up in /var/log/messages). By grepping for those and running them through 'audit2allow' you could build a local policy (if Sealert doesn't advertise setting any booleans or running 'chcon' to set a context).


Quote:
Originally Posted by Mr. C. (Post 3286862)
You might disable that SELinux hooey until you are knowledgeable in its use and find some demonstrable value in it
With all due respect but all questioning SE Linux by saying "demonstrable value" and calling it "hooey" demonstrates here is the amount of respect you regard SE Linux with. Of course you're entitled to your opinion, but for someone who appears to me as rather impartial and knowedgable I find that a bit, well, odd. If you would like to have a technical and objective discussion about SE Linux you're invited to start one in the Linux Security forum.

Mr. C. 09-21-2008 06:42 PM
I'll allow Wietse Venema's (author or postfix, tcpwrappers, etc.) own humorous words speak to SELinux:

Quote:
> Needless to say, I do not offer any warranties for damage done
> by Selinux brain damage.

> Kill off SeLinux, AppArmor, and so on. Postfix warranty is voided by
> such "security" "improvements".

> If someone believes that these extras are useful, then it is their
> responsibility to provide configurations that don't interfere with
> LEGITIMATE Postfix behavior.

> What about SeLinux, AppArmor, Systrace, or other goop that regulates
> system calls so that they no longer behave as documentated?
My somewhat tongue-in-cheek hooey remark was not with respect to the engineering or technical merits of SElinux; it was related to its *understandability* and *usability* for admins performing general duties (as in, this OP). The most rigorous security tool/policy available in the hands of a novice reduces the value of the tool substantially (think: ssh w/weak passords). And the more complicated the tool, the likelihood of implementing and having confidence in an understandable, sane security policy drops exponentially. My point was against security via hyper-complexity. Wait... didn't Red Hat just get compromised! Oops.

Btw. Postfix 2.5 introduced changes, which required SELinux policy changes. Postfix now uses a private data directory for certain cache files.

billymayday 09-21-2008 06:52 PM
But if postfix was installed using Fedora package management then the policies should (note I use should) work fine for a pretty standard app like postfix.

Mr. C. 09-21-2008 07:06 PM
One would think so, but alas:

https://www.redhat.com/archives/fedo.../msg00028.html

tonj 09-22-2008 05:18 AM
thanks for all the responses here. I took Mr C's advice and disabled SELinux. I'm new to linux and I can't handle most of this stuff, it makes my head spin. I have postfix started now and I can make alterations to the configuration.
Perhaps at some time in the future when I'm more experienced (50 years?) I'll resolve this SELinux thing rather than disable it.


All times are GMT -5. The time now is 11:16 AM.