SELinux: AVC denied read for postfix

Door guarded with almost 100 security cameras.
There is a fine line between secure and overkill.

I recently installed dovecot and postfix (postfix how-to documentation) on a server running an optimized and hardened version of CentOS 5.6 (LAMP):

yum install postfix dovecot system-switch-mail system-switch-mail-gnome

After starting both services:

/etc/init.d/dovecot start
/etc/init.d/postfix start

I noticed several log entries in /var/log/messages:

Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.556:695): avc:  denied  { read } for  pid=4545 comm="smtpd" name="hosts" dev=sda1 ino=803366 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.588:696): avc:  denied  { read } for  pid=4545 comm="smtpd" name="localtime" dev=sda1 ino=803387 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file
[...]

Those logs were generated by SELinux, and if I had to guess, that’s what the “hardened” part refers to in the CentOS server image name.

Here is what it does in a nutshell:

By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function.

Create SELinux module package

This means that we need to create an exception. We can do this by generating a module package that will contain rules to permit the tasks in question:

cd /etc/selinux/targeted/modules/
grep postfix /var/log/messages | audit2allow -M postfix

Confirm SELinux module package was created

What we’ve done is taken all of the log messages with references to postfix, converted them into the proper format, and then saved them in a (type enforcement) file called postfix.te:

[root@vps modules]# cat postfix.te 

module postfix 1.0;

require {
	type postfix_qmgr_t;
	type postfix_pickup_t;
	type file_t;
	type postfix_smtpd_t;
	type postfix_smtp_t;
	type postfix_cleanup_t;
	type postfix_master_t;
	class lnk_file read;
	class file { read getattr };
}

#============= postfix_cleanup_t ==============
allow postfix_cleanup_t file_t:lnk_file read;

#============= postfix_master_t ==============
allow postfix_master_t file_t:lnk_file read;

#============= postfix_pickup_t ==============
allow postfix_pickup_t file_t:lnk_file read;

#============= postfix_qmgr_t ==============
allow postfix_qmgr_t file_t:lnk_file read;

#============= postfix_smtp_t ==============
allow postfix_smtp_t file_t:lnk_file read;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t file_t:file { read getattr };
allow postfix_smtpd_t file_t:lnk_file read;

After you create the module, audit2allow will advise that:

To make this policy package active, execute:
semodule -i postfix.pp

Load SELinux module package

So we’ll run that final command to load the module package:

semodule -i postfix.pp

Confirm SELinux module package loaded

You can confirm that this worked by checking the loaded modules:

[root@vps modules]# semodule -l
[...]
postfix	1.0
[...]

And looking at your most recent message in /var/log/messages:

Aug  1 09:12:14 vps kernel: type=1403 audit(1375521134.517:911): policy loaded auid=4294967295 ses=4294967295

Hope this helps someone else! As a side note, if you want to learn more about this, you can look at the SELinux how-to documentation.

Featured image by Matthew Henry.


Comments (1)

Previously posted in WordPress and transferred to Ghost.

iluhen
December 26, 2015 at 2:39 pm

Hi, mate. I’m experiencing some selinux issue on my android. Can you please take a look at it, please? http://forum.xda-developers.com/galaxy-s2/help/bad-flash-to-recover-data-t3276363