Page 1 of 1

SELinux vs Postfix init script

Posted: 2017/08/01 14:25:16
by JadedDragoon
Postfix itself (as in, the binary in /usr/sbin) runs just fine.

But when I do "service postfix start" it hangs for a sec and then fails without error or logging. Finally, come to realize SELinux is blocking the postfix init script's access to files it requires.

Now I could run to my SELinux modules directory and manually add additional policy to enable the use of the postfix init scripts (in addition to that which is already implemented for postfix itself). Or I could assume CentOS 6 is maintained by sane people who don't hate happiness, life, and all that is good in this world... a view I grow less certain of with each increasingly improbable eccentricity I face under CentOS 6... and thus wouldn't implement an SELinux policy that allows the postfix daemon to work but not the postfix init script used to manage the postfix daemon.

So... assuming this isn't a place so twisted and horrible that it makes 4chan seem like the home of equestrian sapients who believe friendship is magic... there must be a better, smarter. less brute-force-y solution. I await enlightenment with infinite eagerness.

Re: SELinux vs Postfix init script

Posted: 2017/08/01 19:11:27
by TrevorH

Code: Select all

touch /.autorelabel
shutdown -r now
<wait while it relabels your entire filesystem>

Re: SELinux vs Postfix init script

Posted: 2017/08/09 05:13:41
by JadedDragoon
That did the trick.

Having done some research on the issue since reading your response, I've come to understand this is an issue with SELinux-unaware applications like vi stripping or damaging the file metadata SELinux uses to establish file contexts. Is that correct? And, if it is, what's regular maintenance to clean up said "damage"? Run restorecon or do autorelabel anytime I perform maintenance on the server?

Re: SELinux vs Postfix init script

Posted: 2017/08/09 07:15:41
by gerald_clark
Using mv instead of cp will not create the proper selinux context for the moved file.

Re: SELinux vs Postfix init script

Posted: 2017/08/09 08:40:11
by TrevorH
Just about everything that CentOS supplies is selinux aware and should preserve selinux contexts. Certainly in about 12 years of using RHEL-like distros I have never seen vi damage them. As Gerald says, using mv to move a file from e.g. /tmp or /home to another location will copy the original's selinux context to the new place which will then fail. CentOS 7's mv has a -Z switch specifically to address that but it's not default so you have to specify it. Or just use cp which works.