postfix and selinux [selinux updates broke postfix?]
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yes. Are you running the FC9 GUI? Gnome perhaps? If you are, in the top right of the screen there should be a Sheriff's badge that you can click on to get the details of the SELinux errors. Can you see that? The program to show you details is called setroubleshootd.
Yes. Are you running the FC9 GUI? Gnome perhaps? If you are, in the top right of the screen there should be a Sheriff's badge that you can click on to get the details of the SELinux errors. Can you see that? The program to show you details is called setroubleshootd.
nope no GUI...all SSH'd in from remote host and FTP access only, using putty and filezilla
Fedora release 9 (Sulphur)
all the avc messages are in messages (log file of name "messages")
OK, last resort. Try the audit2allow command using /var/log/messages instead of /var/log/audit/audit.log. I expect this to fail though.
If that works, is there a way to reverse this..is this creating a custom policy? (alowing all errors in that log to be allowed through a custom policy?), because there are other avc messages i may not want to create this policy for, i.e other unrelated errors to this problem, 9884 lines of messages..
If that is the case, can i simply edit the file to include only the avc messages related to postfix before i run the audit2allow command?
Perhaps you don't have the SELinux trouble shooting package either?
Code:
yum install setroubleshoot setroubleshoot-server
erm, no i guess not, i have only setup this machine for php sql apache postfix and dovecot....nothing else has been installed, apart from the selinux devel we installed earlier;
selinux-policy-devel.noarch 0:3.3.1-135.fc9
Code:
yum install setroubleshoot setroubleshoot-server
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package setroubleshoot.noarch 0:2.0.12-4.fc9 set to be updated
--> Processing Dependency: pygtk2 >= 2.9.2 for package: setroubleshoot
--> Processing Dependency: setroubleshoot-plugins >= 2.0.4 for package: setroubleshoot
--> Processing Dependency: gnome-python2-gtkhtml2 for package: setroubleshoot
--> Processing Dependency: gnome-python2 for package: setroubleshoot
--> Processing Dependency: notify-python for package: setroubleshoot
--> Processing Dependency: gnome-python2-canvas for package: setroubleshoot
---> Package setroubleshoot-server.noarch 0:2.0.12-4.fc9 set to be updated
--> Processing Dependency: audit >= 1.2.6-3 for package: setroubleshoot-server
--> Processing Dependency: pygobject2 for package: setroubleshoot-server
--> Running transaction check
---> Package audit.i386 0:1.7.5-1.fc9 set to be updated
---> Package gnome-python2.i386 0:2.22.1-2.fc9 set to be updated
--> Processing Dependency: libgnomevfs-2.so.0 for package: gnome-python2
--> Processing Dependency: gnome-python2-bonobo for package: gnome-python2
--> Processing Dependency: libbonobo-2.so.0 for package: gnome-python2
--> Processing Dependency: libgnomecanvas-2.so.0 for package: gnome-python2
--> Processing Dependency: libbonoboui-2.so.0 for package: gnome-python2
--> Processing Dependency: gnome-python2-gnomevfs for package: gnome-python2
--> Processing Dependency: libgnome-2.so.0 for package: gnome-python2
--> Processing Dependency: libart_lgpl_2.so.2 for package: gnome-python2
--> Processing Dependency: libgnomeui-2.so.0 for package: gnome-python2
--> Processing Dependency: libbonobo-activation.so.4 for package: gnome-python2
---> Package gnome-python2-canvas.i386 0:2.22.1-2.fc9 set to be updated
---> Package gnome-python2-gtkhtml2.i386 0:2.19.1-28.fc9 set to be updated
--> Processing Dependency: gnome-python2-extras = 2.19.1-28.fc9 for package: gnome-python2-gtkhtml2
--> Processing Dependency: gtkhtml2 >= 2.3.1 for package: gnome-python2-gtkhtml2
--> Processing Dependency: libgtkhtml-2.so.0 for package: gnome-python2-gtkhtml2
---> Package notify-python.i386 0:0.1.1-3.fc9 set to be updated
---> Package pygobject2.i386 0:2.14.2-1.fc9 set to be updated
---> Package pygtk2.i386 0:2.12.1-6.fc9 set to be updated
--> Processing Dependency: python-numeric for package: pygtk2
--> Processing Dependency: pycairo for package: pygtk2
---> Package setroubleshoot-plugins.noarch 0:2.0.11-1.fc9 set to be updated
--> Running transaction check
---> Package gnome-python2-bonobo.i386 0:2.22.1-2.fc9 set to be updated
--> Processing Dependency: pyorbit >= 2.0.1 for package: gnome-python2-bonobo
---> Package gnome-python2-extras.i386 0:2.19.1-28.fc9 set to be updated
---> Package gnome-python2-gnomevfs.i386 0:2.22.1-2.fc9 set to be updated
---> Package gnome-vfs2.i386 0:2.22.0-1.fc9 set to be updated
--> Processing Dependency: gnome-mime-data >= 2.0.0-11 for package: gnome-vfs2
--> Processing Dependency: gnome-mount >= 0.4 for package: gnome-vfs2
---> Package gtkhtml2.i386 0:2.11.1-3.fc9 set to be updated
--> Processing Dependency: gail >= 1.3 for package: gtkhtml2
--> Processing Dependency: libgailutil.so.18 for package: gtkhtml2
---> Package libart_lgpl.i386 0:2.3.20-1.fc9 set to be updated
---> Package libbonobo.i386 0:2.22.0-2.fc9 set to be updated
---> Package libbonoboui.i386 0:2.22.0-2.fc9 set to be updated
--> Processing Dependency: libglade-2.0.so.0 for package: libbonoboui
---> Package libgnome.i386 0:2.22.0-3.fc9 set to be updated
--> Processing Dependency: fedora-gnome-theme >= 8.0.0 for package: libgnome
--> Processing Dependency: libxslt >= 1.0.19 for package: libgnome
--> Processing Dependency: utempter for package: libgnome
--> Processing Dependency: libaudiofile.so.0 for package: libgnome
--> Processing Dependency: libesd.so.0 for package: libgnome
---> Package libgnomecanvas.i386 0:2.20.1.1-4.fc9 set to be updated
---> Package libgnomeui.i386 0:2.22.1-3.fc9 set to be updated
---> Package pycairo.i386 0:1.4.12-3.fc9 set to be updated
---> Package python-numeric.i386 0:24.2-11.fc9 set to be updated
--> Running transaction check
---> Package audiofile.i386 1:0.2.6-8.fc9 set to be updated
---> Package esound-libs.i386 1:0.2.38-7.fc9 set to be updated
--> Processing Dependency: libasound.so.2(ALSA_0.9.0rc4) for package: esound-libs
--> Processing Dependency: libasound.so.2(ALSA_0.9) for package: esound-libs
--> Processing Dependency: libasound.so.2 for package: esound-libs
---> Package fedora-gnome-theme.noarch 0:8.0.0-2.fc9 set to be updated
--> Processing Dependency: bluecurve-icon-theme for package: fedora-gnome-theme
--> Processing Dependency: fedora-icon-theme for package: fedora-gnome-theme
--> Processing Dependency: gtk-nodoka-engine for package: fedora-gnome-theme
--> Processing Dependency: nodoka-metacity-theme for package: fedora-gnome-theme
---> Package gail.i386 0:1.22.3-1.fc9 set to be updated
---> Package gnome-mime-data.noarch 0:2.18.0-2.fc7 set to be updated
---> Package gnome-mount.i386 0:0.8-1.fc9 set to be updated
--> Processing Dependency: PolicyKit-gnome >= 0.6 for package: gnome-mount
---> Package libglade2.i386 0:2.6.2-6.fc9 set to be updated
---> Package libutempter.i386 0:1.1.5-2.fc9 set to be updated
---> Package libxslt.i386 0:1.1.24-2.fc9 set to be updated
---> Package pyorbit.i386 0:2.14.3-2.fc9 set to be updated
--> Running transaction check
---> Package PolicyKit-gnome.i386 0:0.8-4.fc9 set to be updated
--> Processing Dependency: libsexy >= 0.1.11 for package: PolicyKit-gnome
--> Processing Dependency: libpolkit-gnome.so.0 for package: PolicyKit-gnome
--> Processing Dependency: libsexy.so.2 for package: PolicyKit-gnome
---> Package alsa-lib.i386 0:1.0.17-2.fc9 set to be updated
---> Package bluecurve-icon-theme.noarch 0:8.0.2-1.fc9 set to be updated
---> Package fedora-icon-theme.noarch 0:1.0.0-1.fc8 set to be updated
--> Processing Dependency: gnome-themes for package: fedora-icon-theme
---> Package gtk-nodoka-engine.i386 0:0.7.1-2.fc9 set to be updated
---> Package nodoka-metacity-theme.noarch 0:0.3.90-1.fc9 set to be updated
--> Processing Dependency: metacity for package: nodoka-metacity-theme
--> Running transaction check
---> Package PolicyKit-gnome-libs.i386 0:0.8-4.fc9 set to be updated
---> Package gnome-themes.noarch 0:2.22.0-1.fc9 set to be updated
--> Processing Dependency: gtk2-engines >= 2.9.0 for package: gnome-themes
--> Processing Dependency: gnome-icon-theme for package: gnome-themes
---> Package libsexy.i386 0:0.1.11-8.fc9 set to be updated
--> Processing Dependency: enchant for package: libsexy
--> Processing Dependency: hunspell-en for package: libsexy
---> Package metacity.i386 0:2.22.0-5.fc9 set to be updated
--> Processing Dependency: control-center-filesystem for package: metacity
--> Running transaction check
---> Package control-center-filesystem.i386 1:2.22.2.1-1.fc9 set to be updated
---> Package enchant.i386 1:1.4.2-2.fc9 set to be updated
---> Package gnome-icon-theme.noarch 0:2.22.0-6.fc9 set to be updated
---> Package gtk2-engines.i386 0:2.14.3-1.fc9 set to be updated
---> Package hunspell-en.noarch 0:0.20080207-1.fc9 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================
Installing:
setroubleshoot noarch 2.0.12-4.fc9 updates-newkey 121 k
setroubleshoot-server noarch 2.0.12-4.fc9 updates-newkey 1.3 M
Installing for dependencies:
PolicyKit-gnome i386 0.8-4.fc9 fedora 87 k
PolicyKit-gnome-libs i386 0.8-4.fc9 fedora 20 k
alsa-lib i386 1.0.17-2.fc9 updates-newkey 411 k
audiofile i386 1:0.2.6-8.fc9 fedora 108 k
audit i386 1.7.5-1.fc9 updates-newkey 355 k
bluecurve-icon-theme noarch 8.0.2-1.fc9 fedora 5.2 M
control-center-filesystem i386 1:2.22.2.1-1.fc9 updates-newkey 37 k
enchant i386 1:1.4.2-2.fc9 updates-newkey 51 k
esound-libs i386 1:0.2.38-7.fc9 fedora 73 k
fedora-gnome-theme noarch 8.0.0-2.fc9 updates-newkey 10 k
fedora-icon-theme noarch 1.0.0-1.fc8 fedora 115 k
gail i386 1.22.3-1.fc9 updates-newkey 295 k
gnome-icon-theme noarch 2.22.0-6.fc9 fedora 4.4 M
gnome-mime-data noarch 2.18.0-2.fc7 fedora 724 k
gnome-mount i386 0.8-1.fc9 fedora 148 k
gnome-python2 i386 2.22.1-2.fc9 updates-newkey 133 k
gnome-python2-bonobo i386 2.22.1-2.fc9 updates-newkey 68 k
gnome-python2-canvas i386 2.22.1-2.fc9 updates-newkey 27 k
gnome-python2-extras i386 2.19.1-28.fc9 updates-newkey 51 k
gnome-python2-gnomevfs i386 2.22.1-2.fc9 updates-newkey 84 k
gnome-python2-gtkhtml2 i386 2.19.1-28.fc9 updates-newkey 19 k
gnome-themes noarch 2.22.0-1.fc9 fedora 1.5 M
gnome-vfs2 i386 2.22.0-1.fc9 fedora 1.1 M
gtk-nodoka-engine i386 0.7.1-2.fc9 updates-newkey 52 k
gtk2-engines i386 2.14.3-1.fc9 updates-newkey 392 k
gtkhtml2 i386 2.11.1-3.fc9 fedora 189 k
hunspell-en noarch 0.20080207-1.fc9 fedora 675 k
libart_lgpl i386 2.3.20-1.fc9 fedora 65 k
libbonobo i386 2.22.0-2.fc9 fedora 475 k
libbonoboui i386 2.22.0-2.fc9 fedora 366 k
libglade2 i386 2.6.2-6.fc9 updates-newkey 64 k
libgnome i386 2.22.0-3.fc9 fedora 977 k
libgnomecanvas i386 2.20.1.1-4.fc9 updates-newkey 228 k
libgnomeui i386 2.22.1-3.fc9 updates-newkey 1.0 M
libsexy i386 0.1.11-8.fc9 updates-newkey 44 k
libutempter i386 1.1.5-2.fc9 fedora 22 k
libxslt i386 1.1.24-2.fc9 updates-newkey 529 k
metacity i386 2.22.0-5.fc9 updates-newkey 2.3 M
nodoka-metacity-theme noarch 0.3.90-1.fc9 fedora 8.2 k
notify-python i386 0.1.1-3.fc9 fedora 13 k
pycairo i386 1.4.12-3.fc9 updates-newkey 174 k
pygobject2 i386 2.14.2-1.fc9 updates-newkey 105 k
pygtk2 i386 2.12.1-6.fc9 fedora 1.1 M
pyorbit i386 2.14.3-2.fc9 fedora 49 k
python-numeric i386 24.2-11.fc9 updates-newkey 725 k
setroubleshoot-plugins noarch 2.0.11-1.fc9 updates-newkey 768 k
Transaction Summary
==============================================================================================================================
Install 48 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 27 M
Is this ok [y/N]:
Ok so my version of the fix will be based on my avc messages related to postfix in the messages log, and i will remove the mypostfix.pp we installed earlier also with
I've installed the audit daemon i may aswel try to use it, i think also this "Note that the above assumes you are not using the audit daemon. If you were using the audit daemon, then you should use /var/log/audit/audit.log instead of /var/log/messages as your log file. This generates a local.te file, that looks similar to the following:" means there is an advantage with using the audit daemon, i'm going to find out more about "audit" and how to
Thank-you very much i think i am pretty clear on my next steps,
1.learn to use audit
2. get audit to log the postfix avc messages
3. use audit2allow to create a .te file
4. makefile to make a pp
5. semodule it to install it
thanks again for the help, you are a star! i am (i hope) moving towards a fix for this problem and will post the .te code here when i am succesfull in getting postfix to sendmail with selinux on!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
