Hi,
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
However, I don't really want to leave selinux in disabled mode. So, I was looking around and found the following:
https://linux.die.net/man/8/postfix_virtual_selinux
which says that:
semanage permissive -a postfix_virtual_t
which allows for postfix to be permissive. Is this all that is needed?
I also came across this page:
https://www.bitdefender.com/support/how-to-configure-selinux-when-using-post...
but I am not sure: are these the best ways to use postfix with selinux on F31?
Many thanks and best wishes, Ranjan
-- Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses.
Am 12.04.2020 um 20:56 schrieb Ranjan Maitra:
Hi,
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
[ ... ]
but I am not sure: are these the best ways to use postfix with selinux on F31?
Many thanks and best wishes, Ranjan
Which AVCs do you get? Did you analyze them using audit2why?
Alexander
On Sun, 12 Apr 2020 21:45:00 +0200 Alexander Dalloz ad+lists@uni-x.org wrote:
Am 12.04.2020 um 20:56 schrieb Ranjan Maitra:
Hi,
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
[ ... ]
but I am not sure: are these the best ways to use postfix with selinux on F31?
Many thanks and best wishes, Ranjan
Which AVCs do you get? Did you analyze them using audit2why?
My apologies, but what does this mean? Sorry. Ranjan
Am 12.04.2020 um 22:49 schrieb Ranjan Maitra:
On Sun, 12 Apr 2020 21:45:00 +0200 Alexander Dalloz ad+lists@uni-x.org wrote:
Am 12.04.2020 um 20:56 schrieb Ranjan Maitra:
Hi,
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
[ ... ]
but I am not sure: are these the best ways to use postfix with selinux on F31?
Many thanks and best wishes, Ranjan
Which AVCs do you get? Did you analyze them using audit2why?
My apologies, but what does this mean? Sorry. Ranjan
Run your installation with SELinun in permissive mode. Then find the AVCs related to postfix.
https://docs.fedoraproject.org/en-US/quick-docs/troubleshooting_selinux/
You can use ausearch or grep for "type=AVC" in the audit.log. You can then feed audit2why with the AVC audit log line and get a hint what may needed to do. Maybe a directory needs to have proper labeling.
You didn't tell us which part of Postfix does not operate as it should.
Alexander
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working. I've been using postfix for many years and never had any selinux issues.
On Sun, 12 Apr 2020 14:44:44 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working.
Thanks, I have been using the defaults (have not changed anything). So, postfix did not deliver my e-mail and the e-mail started delivery only after I set setenforce 0.
I've been using postfix for many years and never had any selinux issues.
I just set setenforce 1 right now and tried. And it delivered the e-mail at least to my e-mail address. I will test this some more and report back if there are issues.
Thanks again! Ranjan
On Sun, 12 Apr 2020 14:44:44 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working. I've been using postfix for many years and never had any selinux issues.
I spoke too soon: it does not send e-mail from my office machine. From my home machine, it appears to send e-mail. I don't know what to send but here are the differences in the two cases for the office.machine and home.machine, followed by selinux in permissive mode and then all mail (including accumulated mail getting delivered). Any suggestions. I would like to get to the bottom of this. I wonder if in the home machine, it still works because the postfix was running when selinux was enabled, whereas in the office machine I restarted postfix and enabling selinux. This is just an uniformed musing.
Thanks again, Ranjan
sudo systemctl status postfix.service
● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-04-12 19:35:33 CDT; 9min ago Process: 565037 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS) Process: 565041 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS) Process: 565043 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS) Process: 565202 ExecReload=/usr/sbin/postfix reload (code=exited, status=0/SUCCESS) Main PID: 565114 (master) Tasks: 3 (limit: 77040) Memory: 9.5M CPU: 749ms CGroup: /system.slice/postfix.service ├─565114 /usr/libexec/postfix/master -w ├─565115 pickup -l -t unix -u └─565217 qmgr -l -t unix -u
Apr 12 19:42:41 office.machine postfix/master[565114]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling Apr 12 19:43:00 office.machine postfix/master[565114]: warning: unix_trigger_event: read timeout for service public/pickup Apr 12 19:43:41 office.machine postfix/cleanup[565256]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission den> Apr 12 19:43:42 office.machine postfix/master[565114]: warning: process /usr/libexec/postfix/cleanup pid 565256 exit status 1 Apr 12 19:43:42 office.machine postfix/master[565114]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling Apr 12 19:44:00 office.machine postfix/master[565114]: warning: unix_trigger_event: read timeout for service public/pickup Apr 12 19:44:42 office.machine postfix/cleanup[565316]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission den> Apr 12 19:44:43 office.machine postfix/master[565114]: warning: process /usr/libexec/postfix/cleanup pid 565316 exit status 1 Apr 12 19:44:43 office.machine postfix/master[565114]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling Apr 12 19:45:00 office.machine postfix/master[565114]: warning: unix_trigger_event: read timeout for service public/pickup lines 1-26/26 (END)
--------- home machine:
$ sudo systemctl status postfix.service ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor pre> Active: active (running) since Thu 2020-04-09 06:23:47 CDT; 3 days ago Main PID: 1004 (master) Tasks: 4 (limit: 18820) Memory: 22.9M CPU: 15.339s CGroup: /system.slice/postfix.service ├─ 1004 /usr/libexec/postfix/master -w ├─ 1006 qmgr -l -t unix -u ├─ 3058 tlsmgr -l -t unix -u └─180983 pickup -l -t unix -u
Apr 12 19:27:04 home.machine postfix/pickup[180983]: 55F372278D: uid=1> Apr 12 19:27:04 home.machine postfix/cleanup[182068]: 55F372278D: mess> Apr 12 19:27:04 home.machine postfix/qmgr[1006]: 55F372278D: from=<mai> Apr 12 19:27:04 home.machine postfix/local[182071]: 55F372278D: to=<ma> Apr 12 19:27:04 home.machine postfix/qmgr[1006]: 55F372278D: removed Apr 12 19:34:22 home.machine postfix/pickup[180983]: D2DCE2278D: uid=1> Apr 12 19:34:22 home.machine postfix/cleanup[184925]: D2DCE2278D: mess> Apr 12 19:34:22 home.machine postfix/qmgr[1006]: D2DCE2278D: from=<mai> Apr 12 19:34:22 home.machine postfix/local[184927]: D2DCE2278D: to=<ma> Apr 12 19:34:22 home.machine postfix/qmgr[1006]: D2DCE2278D: removed
So, then I decided to
$sudo setenforce 0
$ sudo systemctl status postfix.service ● postfix.service - Postfix Mail Transport Agent Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2020-04-12 19:35:33 CDT; 19min ago Process: 565037 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, sta> Process: 565041 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited,> Process: 565043 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCC> Process: 565202 ExecReload=/usr/sbin/postfix reload (code=exited, status=0/SU> Main PID: 565114 (master) Tasks: 12 (limit: 77040) Memory: 21.9M CPU: 1.021s CGroup: /system.slice/postfix.service ├─565114 /usr/libexec/postfix/master -w ├─565217 qmgr -l -t unix -u ├─565448 cleanup -z -t unix -u ├─565449 trivial-rewrite -n rewrite -t unix -u ├─565450 smtp -t unix -u ├─565451 smtp -t unix -u ├─565452 scache -l -t unix -u ├─565453 bounce -z -n trace -t unix -u ├─565454 local -t unix ├─565455 cleanup -z -t unix -u ├─565456 local -t unix └─565457 pickup -l -t unix -u
Apr 12 19:53:52 office.machine postfix/local[565454]: B079D161EB3:> Apr 12 19:53:52 office.machine postfix/qmgr[565217]: B079D161EB3: > Apr 12 19:53:52 office.machine postfix/qmgr[565217]: A533B16108C: > Apr 12 19:53:52 office.machine postfix/smtp[565451]: B59F1161E08: > Apr 12 19:53:52 office.machine postfix/cleanup[565455]: D3E2416073> Apr 12 19:53:52 office.machine postfix/bounce[565453]: B59F1161E08> Apr 12 19:53:52 office.machine postfix/qmgr[565217]: D3E2416073B: > Apr 12 19:53:52 office.machine postfix/qmgr[565217]: B59F1161E08: > Apr 12 19:53:52 office.machine postfix/local[565454]: D3E2416073B:> Apr 12 19:53:52 office.machine postfix/qmgr[565217]: D3E2416073B: >
On 4/12/20 6:03 PM, Ranjan Maitra wrote:
On Sun, 12 Apr 2020 14:44:44 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working. I've been using postfix for many years and never had any selinux issues.
I spoke too soon: it does not send e-mail from my office machine. From my home machine, it appears to send e-mail. I don't know what to send but here are the differences in the two cases for the office.machine and home.machine, followed by selinux in permissive mode and then all mail (including accumulated mail getting delivered). Any suggestions. I would like to get to the bottom of this. I wonder if in the home machine, it still works because the postfix was running when selinux was enabled, whereas in the office machine I restarted postfix and enabling selinux. This is just an uniformed musing.
I don't understand what all you were showing in the parts after this, although I did see a bit of a permission denied message. I would suggest running "fixfiles onboot" and then rebooting the system. See if that solves your problem.
On Sun, 12 Apr 2020 18:51:57 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 6:03 PM, Ranjan Maitra wrote:
On Sun, 12 Apr 2020 14:44:44 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working. I've been using postfix for many years and never had any selinux issues.
I spoke too soon: it does not send e-mail from my office machine. From my home machine, it appears to send e-mail. I don't know what to send but here are the differences in the two cases for the office.machine and home.machine, followed by selinux in permissive mode and then all mail (including accumulated mail getting delivered). Any suggestions. I would like to get to the bottom of this. I wonder if in the home machine, it still works because the postfix was running when selinux was enabled, whereas in the office machine I restarted postfix and enabling selinux. This is just an uniformed musing.
I don't understand what all you were showing in the parts after this, although I did see a bit of a permission denied message. I would suggest running "fixfiles onboot" and then rebooting the system. See if that solves your problem.
Thanks, sorry, I was providing the output of sudo systemctl status postfix.service.
I will run this when I go in in a few days. Since we are all not supposed to be at work, it will take a few days. Thanks for the suggestion.
Best wishes, Ranjan
On Sun, 12 Apr 2020 18:51:57 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 6:03 PM, Ranjan Maitra wrote:
On Sun, 12 Apr 2020 14:44:44 -0700 Samuel Sieb samuel@sieb.net wrote:
On 4/12/20 11:56 AM, Ranjan Maitra wrote:
I have selinux enforcing and postfix for mail delivery. It turns out that postfix does not "work" if selinux is enabled (setenforce 0 selinux sets it to work again).
You need to describe how you have it configured and what isn't working. I've been using postfix for many years and never had any selinux issues.
I spoke too soon: it does not send e-mail from my office machine. From my home machine, it appears to send e-mail. I don't know what to send but here are the differences in the two cases for the office.machine and home.machine, followed by selinux in permissive mode and then all mail (including accumulated mail getting delivered). Any suggestions. I would like to get to the bottom of this. I wonder if in the home machine, it still works because the postfix was running when selinux was enabled, whereas in the office machine I restarted postfix and enabling selinux. This is just an uniformed musing.
I don't understand what all you were showing in the parts after this, although I did see a bit of a permission denied message. I would suggest running "fixfiles onboot" and then rebooting the system. See if that solves your problem.
I wanted to report that I was able to get into my office and reboot the machine. The process of relabeling the system took around 45 minutes or so, but the issue has gone away (at least for now). I don't know if the problem was caused by something during the last (F30->F31) upgrade but that is when I noticed that selinux was blocking postfix. Hopefully, it will still work well from now on.
Thanks, Samuel!
Ranjan
-
Alexander Dalloz -
Ranjan Maitra -
Samuel Sieb