I wanted to share part of my adventures getting Postfix to work with Cyrus-IMAPD and SELinux.
All of the apps were installed using yum on a Fedora 10 server. Postfix 2.5.5-1 Cyrus-IMAPD 2.3.12p2-3 SELinux Here's the gist of it ... SELinux is fairly restrictive, by default, which is good. Most of the "policies" (SELinux permissions) work pretty well for default Postfix+Cyrus-IMAPD activities, however sending mail INTO the protected system is a little bit snafu'd. Postifx's "pipe" program was having difficulty getting permission to do its thing, along with a couple of problematic directories and sockets. For the sake of search engine seekers, here are a couple of the error messages I received: Error in /var/log/maillog: - fatal: pipe_command: execvp /usr/lib/cyrus-imapd/deliver: Permission denied Same error in /var/log/messages: - setroubleshoot: SELinux is preventing pipe (postfix_pipe_t) "execute" to ./deliver (bin_t). (See line #58 in the local_postfix.te file, below, to see what resolved this particular error.) After an hour or so creating new policies for Postfix+Cyrus-IMAPD, I figured I'd save somebody the trouble and post the resulting template file. Obviously, your system may vary from mine, but this should get you going. I've included instructions for troubleshooting and for using a couple of the basic SELinux tools to create and edit policies. To use the following, copy-and-paste from the first # (comment) through to the end into a new text file. (All of the line breaks should work out fine if it's plain text. No guarantees for those of you who insist on using Microsoft products.) I'm using the filename 'local_postfix.te', so why don't you do the same? :) Read the brief instructions within the commented area for more. http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 is also very helpful. Enjoy! ####### HOW TO USE THIS ########################################################## # SELinux, Cyrus-IMAPD, Postfix # # SELinux needs help resolving Postfix/Cyrus policies. # # This file + the following instructions should get you # # on your way to resolving those policies. # # # # 1) Create this file with the data shown below: # # local_postfix.te # # 2) Compile this file: # # checkmodule -M -m -o local_postfix.mod local_postfix.te # # 3) Create SELinux policy package: # # semodule_package -o local_postfix.pp -m local_postfix.mod # # 4) Move policy package to normal SELinux modules directory: # # mv local_postfix.pp /etc/selinux/targeted/modules/active/modules/ # # 5) Update kernel with new policy package: # # semodule -i /etc/selinux/targeted/modules/active/modules/local_postfix.pp # # # # Test: Send mail from remote to this system. # # Check /var/log/maillog for mail errors and # # /var/log/messages for more specific SELinux errors # # Also, SELinux will provide the command (sealert...) for more details # # Use the error info you see in messages (or sealert...) to create # # new entries in local_postfix.te, then re-compile, package and update kernel. # # # # Alternately, you can use this to generate a .te file automatically # # from the SELinux errors displayed in /var/log/audit/audit.log (or # # from /var/log/messages IF you do NOT have audit installed): # # # # audit2allow -m local -l -i /var/log/audit/audit.log > local_postfix.te # # # # (This is also helpful if you can't guess the correct domain/policy to use # # from reading the error messages.) Take the new stuff from what audit2allow # # creates and add it to this file, then re-compile, package and update kernel. # ################################################################################## module local_postfix 1.0; require { type bin_t; type cyrus_t; type cyrus_var_lib_t; type postfix_pipe_t; type postfix_postqueue_exec_t; type postfix_public_t; type sendmail_t; type usr_t; class file { execute execute_no_trans read }; class dir { write search }; class sock_file write; class unix_stream_socket connectto; } #============= cyrus_t ============== allow cyrus_t usr_t:dir write; #============= postfix_pipe_t ============== allow postfix_pipe_t bin_t:file read; allow postfix_pipe_t bin_t:file execute; allow postfix_pipe_t bin_t:file execute_no_trans; allow postfix_pipe_t cyrus_t:unix_stream_socket connectto; allow postfix_pipe_t cyrus_var_lib_t:dir search; allow postfix_pipe_t cyrus_var_lib_t:sock_file write; allow postfix_pipe_t postfix_public_t:sock_file write; #============= sendmail_t ============== allow sendmail_t postfix_postqueue_exec_t:file execute; -- View this message in context: http://www.nabble.com/Postfix-%2B-Cyrus-IMAPD-%2B-SELinux-tp21882427p21882427.html Sent from the Postfix mailing list archive at Nabble.com.
