> > People with selinux knowledge I very really appreciate your
> > advice!!.....
> >
> > Trying to restart postfix installed from yum in Centos 7. Restart
> > fails, I get:
> >
> > type=AVC msg=audit(1430429813.721:12167): avc: denied { unlink } for
> > pid=31624 comm="master" name="defer" dev="dm-0" ino=981632
> > scontext=system_u:system_r:postfix_master_t:s0
> > tcontext=system_u:object_r:postfix_spool_maildrop_t:s0
> > tclass=sock_file
> >
> > I guess it needs to remove the /var/spool/postfix/private/defer socket
> > file.
> >
> > audit2allow says this will fix it:
> >
> > allow postfix_master_t postfix_spool_maildrop_t:sock_file unlink;
> >
> > But how do I add this permission to the existing Postfix Selinux
> > policy???
>
> See the man pages for audit2allow, semodule, checkmodule,
> postfix_selinux and semanage. The first provides a complete run-through
> of how to adapt your local policies from your audit logs, but it is
> useful to understand the others as well.
You're recommending building a new postfix selinux policy when one
already exists? Why? Why can't I add the needed permission to the
policy that comes with the yum installation of postfix?
> > Why was it missing???
>
> That's a question for RedHat. They maintain the default SELinux policies
> that are distributed with CentOS.
Do you know how to find the package maintainer's contact or the
right place to submit a report?
> > By the way, I also had AVCs when I tried to add another instance of
> > Postfix smtpd on local port 20025. Very frustrating there is no docs
> > how to add a rule for this common change.
>
> There are, and it seems you've found them and used them in this case.
>
> > Why isn't this documented somewhere?
>
> It is. See above.
No, I was reffering to docs for the postfix yum package. Info for people
who use it on how to open new ports. If the command I used is the
right way to do it, then it should be simple duty to add a note about it
as a doc on a readme file or web page associated with the yum
package. Or in the "yum info" notes!
> If you're going to run a system with SELinux in enforcing mode, you
> really should read the available documentation and be prepared to
> *invent* local adaptations to the baseline policies to fit your local
> requirements. Once you start diverging from the config that was used in
> developing the default policies you risk running into them, which is
> proper: SELinux is intended to be a straitjacket on a system.
I don't know why you say these things -- 20025 is a very minor mod,
but the major problem i asking about is i guess to be a bug in the
default policy for the package -- am NOT diverging from the deafult,
postfix restart should work without need to do research how to add
obscure permission to policy that's already on the system. Only way
to add a single unlink permission to a existing policy is to create a
whole new one with a custom .te file and installing it???????? wow.
Bill, thank you for your advice
