SELinux vs Postfix init script

Support for security such as Firewalls and securing linux
JadedDragoon
Posts: 2
Joined: 2017/08/01 13:57:17

SELinux vs Postfix init script

Postby JadedDragoon » 2017/08/01 14:25:16

Postfix itself (as in, the binary in /usr/sbin) runs just fine.

But when I do "service postfix start" it hangs for a sec and then fails without error or logging. Finally, come to realize SELinux is blocking the postfix init script's access to files it requires.

Now I could run to my SELinux modules directory and manually add additional policy to enable the use of the postfix init scripts (in addition to that which is already implemented for postfix itself). Or I could assume CentOS 6 is maintained by sane people who don't hate happiness, life, and all that is good in this world... a view I grow less certain of with each increasingly improbable eccentricity I face under CentOS 6... and thus wouldn't implement an SELinux policy that allows the postfix daemon to work but not the postfix init script used to manage the postfix daemon.

So... assuming this isn't a place so twisted and horrible that it makes 4chan seem like the home of equestrian sapients who believe friendship is magic... there must be a better, smarter. less brute-force-y solution. I await enlightenment with infinite eagerness.

User avatar
TrevorH
Forum Moderator
Posts: 20322
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux vs Postfix init script

Postby TrevorH » 2017/08/01 19:11:27

Code: Select all

touch /.autorelabel
shutdown -r now
<wait while it relabels your entire filesystem>
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

JadedDragoon
Posts: 2
Joined: 2017/08/01 13:57:17

Re: SELinux vs Postfix init script

Postby JadedDragoon » 2017/08/09 05:13:41

That did the trick.

Having done some research on the issue since reading your response, I've come to understand this is an issue with SELinux-unaware applications like vi stripping or damaging the file metadata SELinux uses to establish file contexts. Is that correct? And, if it is, what's regular maintenance to clean up said "damage"? Run restorecon or do autorelabel anytime I perform maintenance on the server?

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: SELinux vs Postfix init script

Postby gerald_clark » 2017/08/09 07:15:41

Using mv instead of cp will not create the proper selinux context for the moved file.

User avatar
TrevorH
Forum Moderator
Posts: 20322
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux vs Postfix init script

Postby TrevorH » 2017/08/09 08:40:11

Just about everything that CentOS supplies is selinux aware and should preserve selinux contexts. Certainly in about 12 years of using RHEL-like distros I have never seen vi damage them. As Gerald says, using mv to move a file from e.g. /tmp or /home to another location will copy the original's selinux context to the new place which will then fail. CentOS 7's mv has a -Z switch specifically to address that but it's not default so you have to specify it. Or just use cp which works.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke