LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 09-20-2008, 07:08 PM   #1
tonj
Member
 
Registered: Sep 2008
Posts: 249

Rep: Reputation: 22
postfix fails to start: AVC denial


Fedora 8
postfix-2.4.5-2.fc8

I cannot start postfix, either from a terminal windows or in webmin. Computer keeps giving AVC denial all the time. I clicked for more info, here is what I got:

Summary
SELinux is preventing /usr/libexec/postfix/master (postfix_master_t) "read
write" to <Unknown> (var_run_t).

<snip>

Additional Information

Source Context system_u:system_rostfix_master_t:s0
Target Context system_ubject_r:var_run_t:s0
Target Objects None [ file ]
Affected RPM Packages postfix-2.4.5-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-44.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.catchall_file
Host Name tonycorp.com
Platform Linux tonycorp.com 2.6.23.1-42.fc8 #1 SMP Tue Oct
30 13:55:12 EDT 2007 i686 athlon
Alert Count 7
First Seen Sat 20 Sep 2008 04:07:23 PM BST
Last Seen Sat 20 Sep 2008 11:19:30 PM BST
Local ID 5912257d-5b40-4c6f-b73c-9572ce859b95

I tried installing postfix 2.5 but the computer wouldn't have it, I kept getting fails. Being a newbie I'm not crash hot with Linux.
Thanks for any help on this.
 
Old 09-20-2008, 07:22 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Did you install using yum or similar?

Do you have your mail files in some unusual location?

What files are causing the problem - presumably your logs tell you that.
 
Old 09-20-2008, 10:23 PM   #3
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
You might disable that SELinux hooey until you are knowledgeable in its use and find some demonstrable value in it, or at least until you get your services to work as intended.
 
Old 09-21-2008, 10:10 AM   #4
tonj
Member
 
Registered: Sep 2008
Posts: 249

Original Poster
Rep: Reputation: 22
to bill: my location is /etc/postfix/. I think that's what's supposed to be. Where would one find the logs you refer to?
 
Old 09-21-2008, 04:56 PM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Quote:
Originally Posted by tonj View Post
to bill: my location is /etc/postfix/. I think that's what's supposed to be. Where would one find the logs you refer to?
No mail files - the messages themselves.

Logs are in /var/log. I think selinux logs to "messages"
 
Old 09-21-2008, 07:03 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,552
Blog Entries: 54

Rep: Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925Reputation: 2925
@tonj: /var/run is where daemon processes may commonly keep PID files, fifo's, sockets or lock files. Since Postfix has been in Fedora for a while it should have a well-developed policy by now. The "preventing /usr/libexec/postfix/master (postfix_master_t) "read write" to <Unknown> (var_run_t)" Sealert looks like a warning for a missing rule. How that happened I don't know. Since you snipped your message it's hard to tell what's missing. Maybe you could tell us a bit about how you installed it and where from?

While Sealert (setroubleshootd) gives you graphical alerts, SE Linux' Access Vector Cache (AVC) messages get logged in /var/log/audit/audit.log (unless you don't have the auditd package installed in which case they'll end up in /var/log/messages). By grepping for those and running them through 'audit2allow' you could build a local policy (if Sealert doesn't advertise setting any booleans or running 'chcon' to set a context).


Quote:
Originally Posted by Mr. C. View Post
You might disable that SELinux hooey until you are knowledgeable in its use and find some demonstrable value in it
With all due respect but all questioning SE Linux by saying "demonstrable value" and calling it "hooey" demonstrates here is the amount of respect you regard SE Linux with. Of course you're entitled to your opinion, but for someone who appears to me as rather impartial and knowedgable I find that a bit, well, odd. If you would like to have a technical and objective discussion about SE Linux you're invited to start one in the Linux Security forum.
 
Old 09-21-2008, 07:42 PM   #7
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
I'll allow Wietse Venema's (author or postfix, tcpwrappers, etc.) own humorous words speak to SELinux:

Quote:
> Needless to say, I do not offer any warranties for damage done
> by Selinux brain damage.

> Kill off SeLinux, AppArmor, and so on. Postfix warranty is voided by
> such "security" "improvements".

> If someone believes that these extras are useful, then it is their
> responsibility to provide configurations that don't interfere with
> LEGITIMATE Postfix behavior.

> What about SeLinux, AppArmor, Systrace, or other goop that regulates
> system calls so that they no longer behave as documentated?
My somewhat tongue-in-cheek hooey remark was not with respect to the engineering or technical merits of SElinux; it was related to its *understandability* and *usability* for admins performing general duties (as in, this OP). The most rigorous security tool/policy available in the hands of a novice reduces the value of the tool substantially (think: ssh w/weak passords). And the more complicated the tool, the likelihood of implementing and having confidence in an understandable, sane security policy drops exponentially. My point was against security via hyper-complexity. Wait... didn't Red Hat just get compromised! Oops.

Btw. Postfix 2.5 introduced changes, which required SELinux policy changes. Postfix now uses a private data directory for certain cache files.
 
Old 09-21-2008, 07:52 PM   #8
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
But if postfix was installed using Fedora package management then the policies should (note I use should) work fine for a pretty standard app like postfix.
 
Old 09-21-2008, 08:06 PM   #9
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 59
One would think so, but alas:

https://www.redhat.com/archives/fedo.../msg00028.html
 
Old 09-22-2008, 06:18 AM   #10
tonj
Member
 
Registered: Sep 2008
Posts: 249

Original Poster
Rep: Reputation: 22
thanks for all the responses here. I took Mr C's advice and disabled SELinux. I'm new to linux and I can't handle most of this stuff, it makes my head spin. I have postfix started now and I can make alterations to the configuration.
Perhaps at some time in the future when I'm more experienced (50 years?) I'll resolve this SELinux thing rather than disable it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AVC denial message on FC9 skeletonca Fedora 1 08-02-2008 04:19 PM
Annoying AVC Denial of Home Public Directory that I want to serve. algogeek Linux - Networking 4 07-04-2008 04:47 AM
SELinux AVC denial: Wireless drops instantly or never connects vprice Linux - Wireless Networking 8 05-04-2008 09:15 AM
AVC Denial alan_ri Fedora 4 03-31-2008 03:25 PM
Nagios - SELinux AVC Denial davethemackem Linux - Software 1 09-26-2007 04:30 PM


All times are GMT -5. The time now is 04:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration