Tag Archives: SELinux

SELinux: AVC denied read for postfix

I recently installed dovecot and postfix (postfix how-to documentation) on a server running an optimized and hardened version of CentOS 5.6 (LAMP):

yum install postfix dovecot system-switch-mail system-switch-mail-gnome

After starting both services:

/etc/init.d/dovecot start
/etc/init.d/postfix start

I noticed several log entries in /var/log/messages:

Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.556:695): avc:  denied  { read } for  pid=4545 comm="smtpd" name="hosts" dev=sda1 ino=803366 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Aug  1 08:31:49 vps kernel: type=1400 audit(1375518709.588:696): avc:  denied  { read } for  pid=4545 comm="smtpd" name="localtime" dev=sda1 ino=803387 scontext=root:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=lnk_file

Those logs were generated by SELinux, and if I had to guess, that’s what the “hardened” part refers to in the CentOS server image name.

Here is what it does in a nutshell:

By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function.

Continue reading