CentOS-6.6 all updates applied
Postfix-2.11.1
We updated a Postfix-2.6.6 service to 2.11.1. We then began recording SELinux
access violation context (avc) errors. I asked how these should be handled. I
received the reply reproduced below to my enquiry on the CentOs mailing list.
In order to resolve this issue in CentOS I need an answer to Mr. Walsh's
question: Is there a reason for Postfix to read from /tmp and /var/tmp? Can
someone enlighten me as to what Postfix is looking for in /tmp?
On Fri, December 5, 2014 04:53, Daniel J Walsh wrote:
>> Anyone see any problem with generating a custom policy consisting of the
>> following?
>>
>> grep avc /var/log/audit/audit.log | audit2allow
>>
>>
>> #============= amavis_t ==============
>> allow amavis_t shell_exec_t:file execute;
>> allow amavis_t sysfs_t:dir search;
>>
>> #============= clamscan_t ==============
>> allow clamscan_t amavis_spool_t:dir read;
> In the latest rhel6 policies amavas_t and clamscan_t have been merged
> into antivirus_t? Is you selinux-policy up 2 date?
>> #============= logwatch_mail_t ==============
>> allow logwatch_mail_t usr_t:lnk_file read;
>>
>> #============= postfix_master_t ==============
>> allow postfix_master_t tmp_t:dir read;
>>
>> #============= postfix_postdrop_t ==============
>> allow postfix_postdrop_t tmp_t:dir read;
>>
>> #============= postfix_showq_t ==============
>> allow postfix_showq_t tmp_t:dir read;
> Any reason postfix would be listing the contents of /tmp or /var/tmp?
> Did you put some content into these directories that have something to
> do with mail?
>> #============= postfix_smtp_t ==============
>> allow postfix_smtp_t postfix_spool_maildrop_t:file { read write getattr };
>>
Thanks,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
