2008/8/14 Voytek Eymont <[EMAIL PROTECTED]>: > I then built and installed a Postfix rpm using Simon Mudd's srpm as: > postfix-2.5.2-1.pcre.mysql.sasl2.rhel5.i386.rpm
I know zero about this particular SRPM, but it's doing things differently to what's expected (Centos' wouldn't ship with an SElinux policy that doesn't work with the stock postfix, of course). > but, I get these Selinux issues as per log entries below: > > SELinux is preventing find (postfix_master_t) "getattr" to > /etc/postfix/examples > (postfix_etc_t). > > Source Context root:system_r:postfix_master_t > Target Context system_u:object_r:postfix_etc_t > Target Objects /etc/postfix/examples [ lnk_file ] > Source find > Source Path /usr/bin/find > Port <Unknown> > Host centos.sbt.net.au > Source RPM Packages findutils-4.2.27-4.1 > Target RPM Packages postfix-2.5.2-1.pcre.mysql.sasl2.rhel5 > Policy RPM selinux-policy-2.4.6-137.1.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall_file The problem (well, one of them) with SElinux is that it's a pain to troubleshoot unless you know exactly what the heck is going on. In this case, postfix runs in the postfix_master_t context and is trying to access files labelled with the postfix_etc_t type. And we still don't know what's going on. Thoughts: * This might imply the files are mislabelled, in which case a bug-report against the package would be warranted. However, my stock Centos5 postfix works fine and the files are all postfix_etc_t (and `ps auxfZ` shows master runs in postfix_master_t) * Why _is_ postfix running 'find' over the /etc/postfix/ directory..? * There might be some SElinux booleans you can frob that will make things work (using setsebool) We've got a little documentation on dealing with SElinux that might help you: http://anchor.com.au/hosting/dedicated/SELinux_management The audit2allow-and-semodule dance was quite popular on the shared-hosting server, until we eventually scrapped SElinux for being too much of a pain in the arse. It's nice if you can use it, but the investment required becomes too high once you start deviating from the packaged defaults. -Barney Desmond
