Hi folks,
I found this link that had a similar (but not identical) problem:
http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.ht...
O/S: Fedora Core5 Mail server: Postfix SELinux: Enabled.
Basically, the problem is this. When I try to send E-Mail from a Python script, Postfix fails. In the maillog file, I see:
Apr 24 13:53:57 miffy postfix/pickup[29094]: warning: maildrop/2104D276B2A: Permission denied
In messages, I see:
Apr 24 13:57:58 miffy kernel: audit(1145912278.348:688): avc: denied { getattr } for pid=29094 comm="pickup" name="2104D276B2A" dev=sda3 ino=2583338 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:object_r:postfix_spool_t:s0 tclass=file
If I set SELinux to permissive mode, it works fine.
Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ...
Thanks!
-- Jeff
Jeff Coffler wrote:
Hi folks,
I found this link that had a similar (but not identical) problem:
http://www.redhat.com/archives/fedora-selinux-list/2004-December/msg00033.ht...
O/S: Fedora Core5 Mail server: Postfix SELinux: Enabled.
Basically, the problem is this. When I try to send E-Mail from a Python script, Postfix fails. In the maillog file, I see:
Apr 24 13:53:57 miffy postfix/pickup[29094]: warning: maildrop/2104D276B2A: Permission denied
In messages, I see:
Apr 24 13:57:58 miffy kernel: audit(1145912278.348:688): avc: denied { getattr } for pid=29094 comm="pickup" name="2104D276B2A" dev=sda3 ino=2583338 scontext=root:system_r:postfix_pickup_t:s0 tcontext=root:object_r:postfix_spool_t:s0 tclass=file
If I set SELinux to permissive mode, it works fine.
Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ...
# grep postfix_spool /var/log/message | audit2allow -M postfixpickup # semodule -i postfixpickup.pp
Will fix it for now.
I will update policy to allow searching of this directory
Thanks!
-- Jeff
fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ...
# grep postfix_spool /var/log/message | audit2allow -M postfixpickup # semodule -i postfixpickup.pp
Will fix it for now.
I will update policy to allow searching of this directory
Hmm, this didn't work ...
[root jeff]# grep postfix_spool /var/log/messages | audit2allow -M postfixpickup Generating type enforcment file: postfixpickup.te Compiling policy checkmodule -M -m -o postfixpickup.mod postfixpickup.te semodule_package -o postfixpickup.pp -m postfixpickup.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel, you are required to execute
semodule -i postfixpickup.pp
[root jeff]# semodule -i postfixpickup.pp slimserver homedir /usr/local/slimserver or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. [root jeff]# grep -i slim /etc/selinux/targeted/contexts/files/file_contexts [root jeff]#
I'm not sure why it's complaining about slimserver since there's no "slim" in that file. I could deinstall that to do the semodule command, then reinstall. Or I could wait until you guys push out the next SELinux policy, then enable SELinux.
Suggestions?
Thanks!
-- Jeff
Jeff Coffler wrote:
Is this an SELinux policy problem? How can I go about fixing this? I'd prefer to run with SELinux enabled ...
# grep postfix_spool /var/log/message | audit2allow -M postfixpickup # semodule -i postfixpickup.pp
Will fix it for now.
I will update policy to allow searching of this directory
Hmm, this didn't work ...
[root jeff]# grep postfix_spool /var/log/messages | audit2allow -M postfixpickup Generating type enforcment file: postfixpickup.te Compiling policy checkmodule -M -m -o postfixpickup.mod postfixpickup.te semodule_package -o postfixpickup.pp -m postfixpickup.mod
******************** IMPORTANT ***********************
In order to load this newly created policy package into the kernel, you are required to execute
semodule -i postfixpickup.pp
[root jeff]# semodule -i postfixpickup.pp slimserver homedir /usr/local/slimserver or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. [root jeff]# grep -i slim /etc/selinux/targeted/contexts/files/file_contexts [root jeff]#
I'm not sure why it's complaining about slimserver since there's no "slim" in that file. I could deinstall that to do the semodule command, then reinstall. Or I could wait until you guys push out the next SELinux policy, then enable SELinux.
Suggestions?
Thanks!
-- Jeff
Is there a password entry for slimserver? If yes make sure it has a shell of /sbin/nologin or /bin/false. Then you can run genhomedircon
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Jeff Coffler