[CentOS] CentOS-6.6 - Selinux and Postfix-2.11.1

Tue Dec 9 23:45:12 UTC 2014
Alexander Dalloz <ad+lists at uni-x.org>

Am 09.12.2014 um 23:04 schrieb James B. Byrne:
> Applied policy update. Now I see these occasionally. But by the time I try and
> see what the matter is the file is gone:

Why do you start a new thread instead of continuing the old one about 
the very same topic?

> /var/log/maillog
> . . .
> Dec  9 15:12:08 inet08 postfix/smtp[3670]: fatal: shared lock
> active/0A7EC60D8A: Resource temporarily unavailable
> . . .
> Dec  9 15:12:08 inet08 postfix/smtp[3758]: fatal: shared lock
> active/8DD5060F81: Resource temporarily unavailable
> . . .
> Dec  9 15:12:09 inet08 postfix/qmgr[3198]: warning: private/relay socket:
> malformed response
>
> Dec  9 15:12:09 inet08 postfix/qmgr[3198]: warning: transport relay failure --
> see a previous warning/fatal/panic logfile record for the problem description
>
> Dec  9 15:12:09 inet08 postfix/master[3195]: warning: process
> /usr/libexec/postfix/smtp pid 3670 exit status 1
>
> Dec  9 15:12:09 inet08 postfix/qmgr[3198]: warning: private/smtp socket:
> malformed response
>
> Dec  9 15:12:09 inet08 postfix/qmgr[3198]: warning: transport smtp failure --
> see a previous warning/fatal/panic logfile record for the problem description
> Dec  9 15:12:09 inet08 postfix/master[3195]: warning: process
> /usr/libexec/postfix/smtp pid 3758 exit status 1
>
> . . .
>
>
> /var/log/messages
> . . .
> Dec  9 15:12:15 inet08 setroubleshoot: SELinux is preventing
> /usr/libexec/postfix/smtp from lock access on the file
> /var/spool/postfix/active/8DD5060F81. For complete SELinux messages. run
> sealert -l 92969cc6-4d13-43ad-b39a-5ad0bbf2a4c7
> . . .
>
> sealert -l 92969cc6-4d13-43ad-b39a-5ad0bbf2a4c7
> SELinux is preventing /usr/libexec/postfix/smtp from lock access on the file
> /var/spool/postfix/active/9934A60C7D.
>
> *****  Plugin restorecon (99.5 confidence) suggests  *************************
>
> If you want to fix the label.
> /var/spool/postfix/active/9934A60C7D default label should be postfix_spool_t.
> Then you can run restorecon.
> Do
> # /sbin/restorecon -v /var/spool/postfix/active/9934A60C7D

Did you do that?

I recommend you do a full relabeling of your system. You seem to have 
messed up several things.

touch /.autorelabel
reboot

It will take some time during the boot.

Not sure if your qmgr service has the type unix, but that will fail with 
the official CentOS 6 SELinux policy. The older fifo type works without 
modifications. But doesn't have to do with your errors shown above.

> *****  Plugin catchall (1.49 confidence) suggests  ***************************
>
> If you believe that smtp should be allowed lock access on the 9934A60C7D file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep smtp /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp

Alexander