21.12.2024 02:37, E R via Postfix-users wrote:
Curious if there are others using the maillog_file setting who have found that "out of the box" RHEL 8+ or 9+ will not allow Postfix to start? I worked around the issue by creating a policy module for testing purposes thanks to the help the SELInux Tool gave me (#sealert -l "*") with the suggestion to create a module for the exception. I have reached out to Red Hat to see if they might agree this is a bug in the SELinux policy. If Red Hat does not agree I might convert my setup to use the default syslog method for logging since I prefer to limit any non-standard setups that might be prone to issues down the road when apps/OS are updated.
The prob with postfix and all these system-specific security mechanisms is that you can configure any path for the log file in postfix's main.cf, and you have to adjust the security mechanism accordingly, -- there's no way redhat will be able to fix this. Ditto for many other aspects with ability to configure things and to have security policies adjusted to reflect actual configuration. The only place for such documentation addition is the Postfix's readme file(s), mentioning how to adjust the selinux security policy about this matter. FWIW, for this particular issue, it is not redhat-specific, it is linux specific, since selinux is included in linux kernel and can be enabled on any linux system. It just so happens that redhat ships with selinux enabled by default. BTW, there are a few other things which require additional tweaks when selinux is enabled. For example, postfix spool sub-directories needs to have selinux security context, which is not provided by the `post-install create-missing' functionality (since it knows nothing about selinux). Redhat might address this for the default instance (in /var/spool/postfix) explicitly, but might miss this for other non-default instances. Also, for chroot to work on a selinux-enabled system, the chroot support files needs their own selinux context. And so on - this is a large topic. Thanks, /mjt _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
