postfix fails to start: AVC denial
Fedora 8
postfix-2.4.5-2.fc8 I cannot start postfix, either from a terminal windows or in webmin. Computer keeps giving AVC denial all the time. I clicked for more info, here is what I got: Summary SELinux is preventing /usr/libexec/postfix/master (postfix_master_t) "read write" to <Unknown> (var_run_t). <snip> Additional Information Source Context system_u:system_r:postfix_master_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects None [ file ] Affected RPM Packages postfix-2.4.5-2.fc8 [application] Policy RPM selinux-policy-3.0.8-44.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name tonycorp.com Platform Linux tonycorp.com 2.6.23.1-42.fc8 #1 SMP Tue Oct 30 13:55:12 EDT 2007 i686 athlon Alert Count 7 First Seen Sat 20 Sep 2008 04:07:23 PM BST Last Seen Sat 20 Sep 2008 11:19:30 PM BST Local ID 5912257d-5b40-4c6f-b73c-9572ce859b95 I tried installing postfix 2.5 but the computer wouldn't have it, I kept getting fails. Being a newbie I'm not crash hot with Linux. Thanks for any help on this. |
Did you install using yum or similar?
Do you have your mail files in some unusual location? What files are causing the problem - presumably your logs tell you that. |
You might disable that SELinux hooey until you are knowledgeable in its use and find some demonstrable value in it, or at least until you get your services to work as intended.
|
to bill: my location is /etc/postfix/. I think that's what's supposed to be. Where would one find the logs you refer to?
|
Quote:
Logs are in /var/log. I think selinux logs to "messages" |
@tonj: /var/run is where daemon processes may commonly keep PID files, fifo's, sockets or lock files. Since Postfix has been in Fedora for a while it should have a well-developed policy by now. The "preventing /usr/libexec/postfix/master (postfix_master_t) "read write" to <Unknown> (var_run_t)" Sealert looks like a warning for a missing rule. How that happened I don't know. Since you snipped your message it's hard to tell what's missing. Maybe you could tell us a bit about how you installed it and where from?
While Sealert (setroubleshootd) gives you graphical alerts, SE Linux' Access Vector Cache (AVC) messages get logged in /var/log/audit/audit.log (unless you don't have the auditd package installed in which case they'll end up in /var/log/messages). By grepping for those and running them through 'audit2allow' you could build a local policy (if Sealert doesn't advertise setting any booleans or running 'chcon' to set a context). Quote:
|
I'll allow Wietse Venema's (author or postfix, tcpwrappers, etc.) own humorous words speak to SELinux:
Quote:
Btw. Postfix 2.5 introduced changes, which required SELinux policy changes. Postfix now uses a private data directory for certain cache files. |
But if postfix was installed using Fedora package management then the policies should (note I use should) work fine for a pretty standard app like postfix.
|
|
thanks for all the responses here. I took Mr C's advice and disabled SELinux. I'm new to linux and I can't handle most of this stuff, it makes my head spin. I have postfix started now and I can make alterations to the configuration.
Perhaps at some time in the future when I'm more experienced (50 years?) I'll resolve this SELinux thing rather than disable it. |
All times are GMT -5. The time now is 11:16 AM. |