SELinux Postfix issues

Support for security such as Firewalls and securing linux
Post Reply
may24
Posts: 30
Joined: 2014/10/13 15:35:36

SELinux Postfix issues

Post by may24 » 2017/03/27 10:25:31

Hi all,

I'm setting up a mailserver with postfix/dovecot.
I followed the tutorial and at first glimpse everything looked fine ... but when I try to access the mailbox Thunderbird tells me "account not found".

A quick check on the /var/log/maillog revealed:

Code: Select all

Mar 27 12:03:03 data-server postfix/postfix-script[14977]: stopping the Postfix mail system
Mar 27 12:03:03 data-server postfix/master[14574]: terminating on signal 15
Mar 27 12:03:04 data-server postfix/postfix-script[15059]: starting the Postfix mail system
Mar 27 12:03:04 data-server postfix/master[15061]: daemon started -- version 2.10.1, configuration /etc/postfix
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS support
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: warning: TLS library problem: 15085:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/pki/dovecot/certs/dovecot.pem','r'):
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: warning: TLS library problem: 15085:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: warning: TLS library problem: 15085:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: connect from unknown[192.168.0.12]
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS support
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: warning: TLS library problem: 15088:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/pki/dovecot/certs/dovecot.pem','r'):
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: warning: TLS library problem: 15088:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: warning: TLS library problem: 15088:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: lost connection after CONNECT from unknown[192.168.0.12]
Mar 27 12:03:35 data-server postfix/submission/smtpd[15085]: disconnect from unknown[192.168.0.12]
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: connect from unknown[192.168.0.12]
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: lost connection after CONNECT from unknown[192.168.0.12]
Mar 27 12:03:35 data-server postfix/submission/smtpd[15088]: disconnect from unknown[192.168.0.12]
/var/log messages has:

Code: Select all

Mar 27 12:03:44 data-server python: SELinux is preventing /usr/libexec/postfix/smtpd from open access on the file /etc/pki/dovecot/certs/dovecot.pem.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that smtpd should be allowed open access on the dovecot.pem file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd#012# semodule -i my-smtpd.pp#012
/etc/pki/dovecot/certs/dovecot.pem:

Code: Select all

-r--r--r--. root root unconfined_u:object_r:dovecot_cert_t:s0 /etc/pki/dovecot/certs/dovecot.pem
So I first tried the "ausearch" suggestion. But I got:

Code: Select all

ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
libsepol.sepol_string_to_security_class: unrecognized class dir
libsepol.sepol_string_to_security_class: unrecognized class file
libsepol.sepol_string_to_security_class: unrecognized class file
Netxt I tried:
grep "denied { write }" /var/log/audit/audit.log|grep "smtpd"|audit2allow -M smtpd-write
semodule -i smtpd-write.pp
and
grep "denied { read }" /var/log/audit/audit.log|grep "smtpd"|audit2allow -M smtpd-read
semodule -i smtpd-read.pp

I restarted the postfix service and retried to connect via Tunderbird.
But still I receive the same errors ...
I assume it's a problem of the "unrecognized class dir" and "unrecognized class file" ... But how to fix this ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Postfix issues

Post by TrevorH » 2017/03/27 11:57:34

Try moving your cert to /etc/pki/tls/certs/ and amending your config to point to that. Also use mv -Z (or cp it) so that it assigns the correct selinux context to the file in its new location.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

may24
Posts: 30
Joined: 2014/10/13 15:35:36

Re: SELinux Postfix issues

Post by may24 » 2017/03/27 13:32:49

sorry ... no effect.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Postfix issues

Post by TrevorH » 2017/03/27 13:45:27

OK, so now it's in the right place, let's have a look at the avc messages you get. Probably best to start from a fresh logfile so we're not seeing stuff left over from before and to do that you can run service auditd rotate (as root) to create a new empty logfile. Once that's done, delete or move the older ones away from /var/log/audit so you only have a /var/log/audit/auditd.log. Now use setenforce 0 to put selinux into permissive mode so that you get a full audit of the things that it tries and fails otherwise you will fix the first issue and then discover another one on the next go.

Now recreate your problem and then run grep avc /var/log/audit/auditd.log and post that. You could also pipe that straight into audit2allow but if there are mislabeled files then they should be fixed rather than allowed so it might be wise to check that first.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

may24
Posts: 30
Joined: 2014/10/13 15:35:36

Re: SELinux Postfix issues

Post by may24 » 2017/03/28 11:23:42

Hi TrevorH

Thanks for your support.

I found a - "quick and dirty" sollution:

Code: Select all

grep smtpd /var/log/audit/audit.log | audit2allow -M mymodule2
semodule -i mymodule2.pp
I know that's more a workaround rather then a solution but due to lack of time ... ect ...
In detail:

Code: Select all

module mymodule2 1.0;

require {
	type dovecot_cert_t;
	type postfix_smtpd_t;
	class dir search;
	class file { getattr open read };
}

#============= postfix_smtpd_t ==============

#!!!! This avc is allowed in the current policy
allow postfix_smtpd_t dovecot_cert_t:dir search;
allow postfix_smtpd_t dovecot_cert_t:file getattr;

#!!!! This avc is allowed in the current policy
allow postfix_smtpd_t dovecot_cert_t:file { open read };
Afaik this looks quite ok ... smtpd needs to read the dovecot owned .pem files in order to initiate TSL connections ...
Or am I getting it wrong ? (the SELinux part)

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux Postfix issues

Post by hunter86_bg » 2017/04/09 12:55:45

What is the output of

Code: Select all

getsebool -a | grep postfix

Al_Stu
Posts: 52
Joined: 2010/09/14 21:05:16

Re: SELinux Postfix issues

Post by Al_Stu » 2017/04/10 09:11:04

Try cert_t instead of dovecot_cert_t

Code: Select all

chcon -t cert_t /etc/pki/dovecot/certs/dovecot.pem
The cert I'm using is...

Code: Select all

drwxr-xr-x. root root system_u:object_r:etc_t:s0       /etc
drwxr-xr-x. root root system_u:object_r:cert_t:s0      /etc/pki
drwxr-xr-x. root root unconfined_u:object_r:cert_t:s0  /etc/pki/X
-rw-r--r--. root root unconfined_u:object_r:cert_t:s0  /etc/pki/X/Z.pem

Post Reply