Ask Your Question
1

How change SELinux context for postfix file on Fedora 20

asked 2014-04-24 22:45:35 -0600

joseluisq gravatar image

updated 2014-04-24 22:46:14 -0600

Hi, I want to change SELinux context for Postfix when I send emails via my localhost web server.
For example I'm using PHP to sending emails to my localhost inbox.
In my web server log appears something like so:
open /etc/postfix/main.cf Permission denied

My temporal solution was to change to permissive setenforce 0, but I think this is not secure.
Exists some way for to set one context for main.cf ?
Thanks !

edit retag flag offensive close merge delete

Comments

Do you really need to open main.cf from your web app?

none gravatar imagenone ( 2014-04-25 01:52:01 -0600 )edit

Yes, Recently I had changed sendmail to postfix and when I try to send emails via web, my log file shows me Permission denied

joseluisq gravatar imagejoseluisq ( 2014-04-25 10:17:13 -0600 )edit

show me output of this command: getsebool httpd_can_sendmail

none gravatar imagenone ( 2014-04-25 10:42:03 -0600 )edit

Next try send mail from your webapp, and then show us: ausearch-m avc -ts recent

none gravatar imagenone ( 2014-04-25 10:43:41 -0600 )edit

Ok, I will try it !

joseluisq gravatar imagejoseluisq ( 2014-04-25 11:05:18 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2014-04-28 02:24:30 -0600

none gravatar image

So you solution is to turn on: httpd_can_sendmail

sudo setsebool -P httpd_can_sendmail true

-P will make it permanent.

edit flag offensive delete link more

Comments

It works !
Really I needed this to be permanent.
Thanks for tip !

joseluisq gravatar imagejoseluisq ( 2014-05-04 23:57:21 -0600 )edit
2

answered 2014-04-25 07:07:23 -0600

tonioc gravatar image

In a general way,the permissive mode associated to auditd logs (/var/log/audit/audit.log) will allow you to understand what rule is being violated and possibly create custom rules to allow specific acess for a process on an object type. You may find interesting input for this in this doc: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security-Enhanced_Linux . Tools you may need to learn are for example audit2allow. An important point is to first understand the root cause of SElinux denial, and what you open when adding custom rules. The permissive mode is no bad in itself it you take car of analysing the logs.

edit flag offensive delete link more

Comments

Great ! I will check out about this. thanks

joseluisq gravatar imagejoseluisq ( 2014-04-25 10:19:15 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2014-04-24 22:45:35 -0600

Seen: 807 times

Last updated: Apr 28 '14