HOW do I get enforcing SElinux and postfix with custom milter to work

postfixrhel6selinux

I have an IPv4 setup of postfix on RHEL6 with SElinux in enforcing mode.
All my attempts at incorporating opendkim fails miserably unless I leave enforcing mode.

The errors I get when SElinux is enforcing:

Jan 25 09:57:25 <mail.warning> katniss postfix/cleanup[16571]: warning: cannot receive milters via service cleanup socket socket
Jan 25 09:57:25 <mail.crit> katniss postfix/cleanup[16571]: fatal: cleanup_milter_receive: milter receive failed
Jan 25 09:57:26 <mail.warning> katniss postfix/smtpd[16567]: warning: cannot send milters to service public/cleanup socket
Jan 25 09:57:26 <mail.warning> katniss postfix/master[16559]: warning: process /usr/libexec/postfix/cleanup pid 16571 exit status 1
Jan 25 09:57:26 <mail.warning> katniss postfix/master[16559]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling

What I've done recently:

setenforce permissive

(sending mail works)

setenforce enforcing

(sending mail fails with cleanup errors above)

egrep -e 'postfix|opendkim|cleanup' /var/log/audit/audit.log | audit2allow -m postfixMine > postfixMine.te
checkmodule -M -m -o postfixMine.mod postfixMine.te 
semodule_package -m postfixMine.mod -o postfixMine.pp
semodule -i postfixMine.pp

(sending mail still fails with the same errors from cleanup above)

So, everything works as expected with permissive SElinux setting, and fails with enforcing setting.

in postfix main.cf:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
milter_protocol         = 2

some info:

# netstat -napl | grep 8891
tcp        0      0 127.0.0.1:8891              0.0.0.0:*                   LISTEN      16464/opendkim      

# ps -ef|grep opendkim
opendkim 16463     1  0 09:56 ?        00:00:00 /usr/local/sbin/opendkim -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid
opendkim 16464 16463  0 09:56 ?        00:00:00 /usr/local/sbin/opendkim -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid

# ls -lZ /usr/libexec/postfix/cleanup
-rwxr-xr-x. root root system_u:object_r:postfix_cleanup_exec_t:SystemLow /usr/libexec/postfix/cleanup

Before I begin pulling my hair off, can someone point me in the right direction, please?
There must be something very simple I'm overlooking.

I know the purpose of SElinux, but I haven't found any tutorials that seem to be on "my level", (short and informative) 🙂 so I'm still a n00b when it comes to SElinux. Very willing to learn.

Disabling SElinux is not the way I learn.

Best Answer

The problem was that the audit2allow-generated postfixMine.te became:

module postfixMattias 1.0;

require {
    type postfix_smtpd_t;
    type postfix_cleanup_t;
    class tcp_socket { getopt getattr };
}

#============= postfix_cleanup_t ==============
#!!!! This avc is allowed in the current policy

allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { getopt getattr };

I added read and write to class tcp_socket into this:

module postfixMine 1.0;

require {
    type postfix_smtpd_t;
    type postfix_cleanup_t;
    class tcp_socket { getopt getattr read write };
}

#============= postfix_cleanup_t ==============
#!!!! This avc is allowed in the current policy

allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { getopt getattr read write };

followed by these commands to recompile the new policy:

checkmodule -M -m -o postfixMine.mod postfixMine.te 
semodule_package -m postfixMine.mod -o postfixMine.pp
semodule -i postfixMine.pp

and now it finally works!

Related Topic