postfix and selinux [selinux updates broke postfix?]

rjcroasdale · 03-11-2010, 10:00 PM

Hi all, I've been looking at this again, your input will be appreciated

I did a "yum update" to install selinux updates

Code:

Mar 10 05:34:54 Updated: selinux-policy-3.3.1-135.fc9.noarch
Mar 10 05:35:17 Updated: selinux-policy-targeted-3.3.1-135.fc9.noarch

Now postfix wont sendmails with selinux enabled;

I want to get postfix sending emails without having to disable selinux :S
I can start postfix and it sends emails with selinux off | SETENFORCE 0
If i then SETENFORCE 1 without stopping postfix the service still runs but doesnt sendmail :S

Code:

Mar 11 05:24:38 HOSTNAME postfix/cleanup[27957]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied
Mar 11 05:24:39 HOSTNAME postfix/master[27911]: warning: process /usr/libexec/postfix/cleanup pid 27957 exit status 1
Mar 11 05:24:39 HOSTNAME postfix/master[27911]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling

^^^ OK WHATS THIS?? Permission denied? - IF I CAN FIX THIS IT SHOULD WORK! ^^^

BACKGROUND INFO

Hi all, all this is done by looking at forums/docs on the net;

So my server has been running fine for a year or so, i use postfix and dovecot;
I wanted to update some mailboxes so i added a user

Code:

adduser -s /sbin/nologin sales; passwd info

(later realising that there was in a config file aliases)

Code:

sales:		postmaster

so i changed that by commenting it out.

Code:

#sales:		postmaster

Futher reading showed I then needed to update this by using

Code:

newaliases

and

Code:

/etc/init.d/postfix restart

but postfix wouldent shutdown to startup again;
futher reading and log file viewing showed an avc: denied message so i turned of selinux

Code:

setenforce 0

and

Code:

/etc/init.d/postfix restart

worked,

great, reading futher i did a "yum update" to install selinux updates

Code:

Mar 10 05:34:54 Updated: selinux-policy-3.3.1-135.fc9.noarch
Mar 10 05:35:17 Updated: selinux-policy-targeted-3.3.1-135.fc9.noarch

but i still cant start or stop postfix with selinux turned on;

ok so after the SELINUX update, now POSTFIX wont send mails if SELINUX is turned on !!

I found this on bugzilla

Code:

https,//bugzilla.redhat,com/show_bug.cgi?id=553492

^^ had to replace : and . with , cos i'm not allowed to post links yet

"Bug 553492 - New selinux packages broke Postfix "

"One of my mailservers running postfix has suddenly stopped sending mail"

Same problem as me, postfix has stopped sending emails with selinux turned on after selinux updates!

Can anyone help cos the bugzilla posts freak me out, i have no-idea about below

Code:

Create a file called mypostfix.te with the following content.

=================================cut =========================================
policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };
=============================================================================

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp

i have no-idea if this is a fix or not, its bugzilla posts has confuzzled me!

Help a nub out please

Regards

blacky_5251 · 03-11-2010, 10:18 PM

The steps you found on Red Hat's bugzilla site should fix your problem. There are three steps to follow. First create the text file as instructed. Second, use "make" to create a module to install into SELinux. Then finally, install the newly created module.

Have you followed the bugzilla steps yet, or have you been waiting for a reply?

I had the same problem with Postfix on CentOS a month or three back, and the fix you found fixed it for me

rjcroasdale · 03-11-2010, 10:35 PM

Quote:

Originally Posted by blacky_5251

The steps you found on Red Hat's bugzilla site should fix your problem. There are three steps to follow. First create the text file as instructed. Second, use "make" to create a module to install into SELinux. Then finally, install the newly created module.

Have you followed the bugzilla steps yet, or have you been waiting for a reply?

I had the same problem with Postfix on CentOS a month or three back, and the fix you found fixed it for me

Hi thankyou for the confirmation, I havent followed those steps on bug report yet as i was unsure about it, i will give it a go now, thank-you again

brb

blacky_5251 · 03-11-2010, 10:37 PM

BTW, a later update to SELinux was delivered for CentOS that solved the issue as well. This might not have filtered down to FC9 yet though. If you've just received the Postfix bug, it might be another couple of weeks before the SELinux policy fix arrives

rjcroasdale · 03-11-2010, 10:48 PM

I don't get it :S

I made a file called mypostfix.pp and uploaded it to my root folder;
its content is;

Code:

policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };

Then i did

Code:

make -f /usr/share/selinux/devel/Makefile
make: /usr/share/selinux/devel/Makefile: No such file or directory
make: *** No rule to make target `/usr/share/selinux/devel/Makefile'.  Stop.

figured it the make -f needed to point to the file mypostfix.pp so;

Code:

make -f mypostfix.pp
mypostfix.pp:1: *** missing separator.  Stop.

and

Code:

semodule -i mypostfix.pp
libsepol.module_package_read_offsets: wrong magic number for module package:  expected 0xf97cff8f, got 0x696c6f70
libsemanage.parse_module_headers: Could not parse module data.
semodule:  Failed on mypostfix.pp!

help i'm such a nub :S

blacky_5251 · 03-11-2010, 10:49 PM

The text file is meant to have a suffix of te, not pp. The make command should create the pp file.

rjcroasdale · 03-11-2010, 10:56 PM

Renamed it but still get

Code:

make -f mypostfix.te
mypostfix.te:1: *** missing separator.  Stop.

the file has the following content

Code:

policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };

rjcroasdale · 03-11-2010, 11:05 PM

Gonna try and use linux to create the file via the ssh screen, i used notepad++ on windows2000 to make the file, then just tried the notepad++ "convert to unix format" and still no joy, gonna see if i can figure out how to make the file ...(VI perhaps) I'm such a nub

blacky_5251 · 03-11-2010, 11:24 PM

It doesn't look quite right to me. Try this file:-

Code:

module postfix 1.0;

require {
        type postfix_postdrop_t;
        type tmp_t;
        class file getattr;
}

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t tmp_t:file getattr;

Using a Linux editor is a must as well

Notepad is notorious for breaking files

rjcroasdale · 03-11-2010, 11:32 PM

touch mypostfix.te
vi mypostfix.te (edited empty file)

Code:

cat mypostfix.te
policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };

I still get

Code:

make -f mypostfix.te
mypostfix.te:1: *** missing separator.  Stop.

so i pasted your code into vi

Code:

cat mypostfix.te
module postfix 1.0;

require {
        type postfix_postdrop_t;
        type tmp_t;
        class file getattr;
}

#============= postfix_postdrop_t ==============
allow postfix_postdrop_t tmp_t:file getattr;

I still get

Code:

 make -f mypostfix.te
mypostfix.te:1: *** missing separator.  Stop.

;(

aww the joys of the learning curve

;(

blacky_5251 · 03-11-2010, 11:47 PM

Do you have the SELinux development package installed?

Code:

rpm -qa | grep selinux-policy-devel

If not, you will need to install it before you can go on. The make command was actually correct before, it just wasn't working because it couldn't find the SELinux development Makefile (i.e. /usr/share/selinux/devel/Makefile).

So, get the RPM installed and we'll start again using these commands (assuming you've already created the text file mypostfix.te:-

Code:

make -f /usr/share/selinux/devel/Makefile
semodule -i mypostfix.pp

The "make" command should create the file mypostfix.pp, so don't continue unless it is there.

spampig · 03-11-2010, 11:49 PM

I'm not sure if this will help - but a quick google on 'missing separator' gives this...

"Unlike most other Make programs which accept any whitespace character at the beginning of a command in a rule, GNU Make insists that every such line begins with a TAB. (Most other Unix Make programs also require TABs, and the Posix standard requires it as well.) Make sure that the line whose number is printed in the error message (in this case, line 1) begins with a TAB."

BTW From your last paste on the make, is that space supposed to be there or is it a cut/paste typo?

rjcroasdale · 03-11-2010, 11:58 PM

YAY!

Code:

yum install selinux-policy-devel

Installed:
  selinux-policy-devel.noarch 0:3.3.1-135.fc9

Complete!

Code:

make -f /usr/share/selinux/devel/Makefile
Compiling targeted mypostfix module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypostfix.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 8) to tmp/mypostfix.mod
Creating targeted mypostfix.pp policy package
rm tmp/mypostfix.mod.fc tmp/mypostfix.mod

Code:

[root@HOSTNAME ~]# semodule -i mypostfix.pp
[root@HOSTNAME ~]#

this last command gave no output just went to the next command line; i assume it executed something :s

Gonna start postfix now and check to see if it sends mail with setenforce 1

fingers crossed....

blacky_5251 · 03-11-2010, 11:59 PM

Also, stick with the original text file you found here:- https://bugzilla.redhat.com/show_bug.cgi?id=553492

rjcroasdale · 03-12-2010, 12:09 AM

still have to disable selinux to get mail to send;

still have these messages in maillog and message

Code:

Mar 12 06:03:52 HOSTNAME postfix/cleanup[7581]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: process /usr/libexec/postfix/cleanup pid 7581 exit status 1
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling]

Code:

Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232533): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232534): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232535): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232536): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.568:232537): avc:  denied  { read write } for  pid=7581 comm="cleanup" name="unix.cleanup" dev=sda1 ino=8306741 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

Should the command

Code:

[root@HOSTNAME ~]# semodule -i mypostfix.pp
[root@HOSTNAME ~]#

have outputted something?

I confirm the files the make command created are
mypostfix.fc
mypostfix.if
mypostfix.pp

and i used

Code:

policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };

in the .te file.

Thankyou again for taking the time to help me