[CentOS] SELInux and POSTFIX

Wed Apr 23 20:44:27 UTC 2014
Daniel J Walsh <dwalsh at redhat.com>

Looks like this is allowed in rhel6.5 policy. You could try

selinux-policy-3.7.19-235.el6
on people.redhat.com/dwalsh/SELinux/RHEL6


On 04/23/2014 01:51 PM, James B. Byrne wrote:
> Installed Packages
> Name        : postfix
> Arch        : x86_64
> Epoch       : 2
> Version     : 2.6.6
> Release     : 6.el6_5
> Size        : 9.7 M
> Repo        : installed
> >From repo   : updates
>
> I am seeing several of these in our maillog file after a restart of the
> Postfix service:
>
> Apr 23 12:48:27 inet08 setroubleshoot: SELinux is preventing
> /usr/libexec/postfix/smtp from 'read, write' accesses on the file 546AA6099F.
> For complete SELinux messages. run sealert -l
> b95663bb-12ce-4f34-9537-dd88a41359e5
>
>  sealert -l b95663bb-12ce-4f34-9537-dd88a41359e5
> SELinux is preventing /usr/libexec/postfix/smtp from 'read, write' accesses on
> the file 546AA6099F.
>
> *****  Plugin catchall (100. confidence) suggests  ***************************
>
> If you believe that smtp should be allowed read write access on the 546AA6099F
> file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep smtp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> grep 546AA6099F /var/log/audit/audit.log | audit2why
>
>
> type=AVC msg=audit(1398199187.646:29332): avc:  denied  { getattr } for
> pid=23387 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398199187.646:29333): avc:  denied  { read write } for
> pid=23387 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398199927.800:29411): avc:  denied  { getattr } for
> pid=24131 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398199927.805:29412): avc:  denied  { read write } for
> pid=24131 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398201500.778:29495): avc:  denied  { getattr } for
> pid=25406 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398201500.779:29496): avc:  denied  { read write } for
> pid=25406 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398204425.415:29681): avc:  denied  { getattr } for
> pid=26964 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398204425.419:29682): avc:  denied  { read write } for
> pid=26964 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398208625.418:29910): avc:  denied  { getattr } for
> pid=29240 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398208625.419:29911): avc:  denied  { read write } for
> pid=29240 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398212826.339:30139): avc:  denied  { getattr } for
> pid=31325 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398212826.343:30140): avc:  denied  { read write } for
> pid=31325 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398217026.114:30368): avc:  denied  { getattr } for
> pid=855 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398217026.114:30369): avc:  denied  { read write } for
> pid=855 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398221225.239:30628): avc:  denied  { getattr } for
> pid=2652 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398221225.240:30629): avc:  denied  { read write } for
> pid=2652 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398225425.850:30863): avc:  denied  { getattr } for
> pid=4556 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398225425.851:30864): avc:  denied  { read write } for
> pid=4556 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398229625.107:31116): avc:  denied  { getattr } for
> pid=6545 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398229625.108:31117): avc:  denied  { read write } for
> pid=6545 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398233825.788:31345): avc:  denied  { getattr } for
> pid=8322 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398233825.789:31346): avc:  denied  { read write } for
> pid=8322 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398238025.329:31580): avc:  denied  { getattr } for
> pid=10706 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398238025.329:31581): avc:  denied  { read write } for
> pid=10706 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398242226.269:31819): avc:  denied  { getattr } for
> pid=12510 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398242226.272:31820): avc:  denied  { read write } for
> pid=12510 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398246425.661:32081): avc:  denied  { getattr } for
> pid=14363 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398246425.663:32082): avc:  denied  { read write } for
> pid=14363 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398250626.380:32316): avc:  denied  { getattr } for
> pid=16384 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398250626.381:32317): avc:  denied  { read write } for
> pid=16384 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398254826.134:32581): avc:  denied  { getattr } for
> pid=18686 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398254826.136:32582): avc:  denied  { read write } for
> pid=18686 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398259025.251:32834): avc:  denied  { getattr } for
> pid=20593 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398259025.252:32835): avc:  denied  { read write } for
> pid=20593 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398263323.263:33063): avc:  denied  { getattr } for
> pid=23647 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398263323.263:33064): avc:  denied  { read write } for
> pid=23647 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398267592.473:33300): avc:  denied  { getattr } for
> pid=27690 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398267592.474:33301): avc:  denied  { read write } for
> pid=27690 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398271701.024:33555): avc:  denied  { getattr } for
> pid=31449 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398271701.025:33556): avc:  denied  { read write } for
> pid=31449 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398271701.025:33556): avc:  denied  { open } for
> pid=31449 comm="smtp" name="546AA6099F" dev=dm-0 ino=395679
> scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
> type=AVC msg=audit(1398271701.025:33557): avc:  denied  { lock } for
> pid=31449 comm="smtp" path="/var/spool/postfix/active/546AA6099F" dev=dm-0
> ino=395679 scontext=unconfined_u:system_r:postfix_smtp_t:s0
> tcontext=unconfined_u:object_r:postfix_spool_maildrop_t:s0 tclass=file
>
> 	Was caused by:
> 		Missing type enforcement (TE) allow rule.
>
> 		You can use audit2allow to generate a loadable module to allow this access.
>
>
>
> Is this the result of something I may have done like restarting postfix or is
> this a real bug/error/defect/?
>
>
>