I am running Postfix on my CentOS (latest) powered box with SELinux at Enforcing mode.
This is what I get each time Postfix tries to send e-mail:
Quote:SELinux is preventing postdrop (postfix_postdrop_t) "write" to pipe (initrc_t).
I'd like to grant /usr/sbin/sendmail.sendmail "connectto" access to the unix_stream_socket /var/lib/imap/socket/lmtp.How do I do that?I want to eliminate error messages that keep appearing in my message log:
/var/log/messages:Jan 13 11:45:29 e setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from connectto access on the unix_stream_socket /var/lib/imap/socket/lmtp. For complete SELinux messages. run sealert -l 05df828f-4402-
[code]....
- Newly installed Fedora 14- Firefox 3.6.12- All latest Fedora updates installed- Denial occured after the installation of jre1.6.0_22 from here - Linux (self-extracting file) and creating symbolic links as follows;
Code:
[root@Freedom opt]# ln -s /opt/jre1.6.0_22/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/
Code:
[code]....
My Fedora box is giving me an SELinux security error:
Code: Summary:
SELinux is preventing the samba daemon from reading users' home directories.
Detailed Description:
SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals an intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)
Allowing Access: If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
Fix Command:
setsebool -P samba_enable_home_dirs=1
Additional Information:
Source Context system_u:system_r:smbd_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /home/micah [ dir ]
Source smbd
[code]....
I went to print something and I get this message: Summary: SELinux is preventing access to files with the default label, default_t.
Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
This is the "alert" I've received from SElinux Alert Browser after closing "rythmbox" application that opened my CreativeZen mediaplayer:
Code:
SELinux is preventing /usr/libexec/abrt-hook-ccpp from using the sys_ptrace capability
in dmesg it has:
[code]....
I have Googled and searched dozens of forums and mailing list archives for a couple days now, and I haven't found a straightforward answer to what is REALLY required in a Postfix main.cf file to stop backscatter.
A couple of our servers are stil being flagged as sending backscatter. Is it possible to send a bounce message these days without it being considered backscatter?
I keep adding suggested "fixes" to my main.cf file, but Backscatterer.org still says we're doing it.
Here's my postconf -n output:
Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
[Code].....
I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out.
View 14 Replies View Relatedso i set out to change the default smtp port the server uses because my ISP blocks port 25 and i need the email to work in outlook. this morning i could receive email, but not send it. so i did some research and thought that i needed to edit the master.cf file in /etc/postfix/ by commenting out this line: smtp inet n - n - - smtpd -oand replace it with587 inet n - n - - smtpd (587 being the port i want to use)somewhere along the lines postfix server stopped running and now i cannot get it to start.if i try using SSH it crashes immediately and if i restart it in simple control panel nothing happens
View 7 Replies View RelatedI have isntalled a server with Centos 5.2 OS, now I would like to switch from the default sendmail to postfix doing a yum install postfix I've noticed there is already available an rpm version for the OS but I would like to compile my own 2.5 version, I've noticed compiling from source does not allow me to use the mail switcher to tell to the system I'm gonna use Postfix instead of Sendmail as the default MTA while this is possible when I use the "official" rpm version of the package. Now my question is this, would this be a problem? There is some specific procedure/best practice I should follow? Or once compiled and configured Postfix I can safely disable/uninstall sendmail?
View 6 Replies View RelatedI have a virtualbox installation on top of CentOS, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
Host OS: CentOS 5.3 64bit
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G).
So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host (i.e. CentOS) to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H?
I've recently installed cacti on one of my servers and grimaced a bit when I had to install additional third-party yum repositories for CentOS 6. My question is, how does one go about preventing potential conflicts with certain dependencies overwriting key/critical dependencies relied upon from packages that might share them, i.e. apache? I understand yum priorities and have read the discussions regarding pros/cons from the threads involving one of the YUM maintainers. Since I need my servers to act as production-class equipment and, hence, be as reliable as they can, I'm always hesitant to allow yum to automate package upgrades when third-party repos are involved. How best to handle this?
View 3 Replies View Relatedi am trying to install centos 5.5 x86_64 as a guest OS in vmware server 2.0.2 using netinstall iso. Installation runs fine until the point, when it tries to install selinux-policy-targeted-2.4.6-279.el5.noarch, the whole virtual pc hangs at this.any ideas? i tried to google few things about this, but i have found nothing. this has happened 3 times in row, whole virtual pc always hangs at the same package. i dont have any other problems with vmware, gentoo runs and installs fine in it.i would prefer to do installation using netinstall.iso, it would take a lot of time to download all cds or whole dvd and all i require is a very basic set of packages.
View 7 Replies View RelatedYou can find a list of all the booleans for SELinux (Fedora 10) using getsebool -a My question is, is there a reference online that describes each one. Most of obvious but it's one of those "I have to know because it's there situation).
View 5 Replies View RelatedI have a selinux alert every time I print to cups_pdf after upgrading to Centos 5.3 from 5.2. This never happened before. This is the alert I get
SELinux is preventing sh (cups_pdf_t) "search" to ./sbin (sbin_t)
It tells me to allow the access I need to run the cmd
restorecon -v './sbin'
I have tried it but nothing happens.
I turned on SELinux today on my laptop, but when I tried to reboot I found that I can't! The boot process stalls every time on "Starting system logger". A load of "permission denied" messages preceed that, including various items in /var/sys. Most flash by far too fast for me to note them down.
I have tried the backup kernel from the grub menu but get the same result. What has gone on here and what can I do to get around this?
I always thought that whenever /usr/sbin/setsebool was used, it would write either a "0" or a "1" into the corresponding boolean file. All SELinux boolean files are in /selinux/booleans but If I check, for example, this boolean ...
$ sudo /usr/sbin/getsebool ftp_home_dir
ftp_home_dir --> on
It returns a positive, but if I do
$ sudo less /selinux/booleans/ftp_home_dir
I get ... read error (Press Return)
Furthermore, if I list the boolean file itself, it shows it to be empty
$ sudo ls -l /selinux/booleans/ftp_home_dir
-rw-r--r-- 1 root root 0 Aug 9 11:09 /selinux/booleans/ftp_home_dir
Where is SELinux storing the booleans then?
This is on CentOS 5.4
Here is what i do: make clean make makefiles CCARGS='-DEF_CONFIG_DIR="/opt/product/postfix-2.6.5/etc"
-DEF_COMMAND_DIR="/opt/product/postfix-2.6.5"
-DEF_DAEMON_DIR="/opt/product/postfix-2.6.5/libexec"
-DEF_MAILQ_PATH="/opt/product/postfix-2.6.5/bin/mailq"
-DEF_DATA_DIR="/opt/product/postfix-2.6.5/lib"
-DEF_NEWALIAS_DIR="/opt/product/postfix-2.6.5/bin/newaliases"
[Code]...
make install then i got this error: postfix: fatal: chdir(/usr/libexec/postfix): No such file or directory make: *** [install] Error 1 I don't understand why it's checking the usr/libexec folder for the daemons although I've set the folder to /opt/product/postfix-2.6.5/libexec in the makefile. Here is also the cat of my makedefs.out:
[Code]....
I'm able to connect to ftp as a virtual user. It was also difficult as nowhere mentioned, that it should be done with SSL. Anyway I found the answer and got connection. But now I can't connect to ftp server as system user. It gives me "530 Permission denied", or if I delete the user from the file denied_users, - "530 Login incorrect".
1. Still I can't understand, how I can log in to FTP server with a system user.Also some other questions regarding this matter:
2. My httpd server Apache has a virtual hosts located in "/home" directory.The scripts create users in "/var/ftp virtual_users". Will it cause any problem if I will change them to "/home"? All I need to do with this is ability to have several virtual hosts in one server with separate access to each of them via FTP. And 1 account with access to all files in "/home".
3. In my ftp client I can see the owner of virtual host "ftp" instead of username.
Code:
$ ./configure --with-md5-passwords --with-selinux --with-pam
[snip]
Host: i686-pc-linux-gnu
Compiler: gcc
[Code]..
I don't think it has anything to do with the config file.More to do with SElinux. I need to know how to configure SElinux so I can see my samba share when SELinuxis on. When I setenforce 0 I can seen all the files and folders set it to setenforce 1 cannot see anything.Here is the output when I ran [root@fileserver /]# getsebool -a | grep smballow_smbd_anon_write --> onsmbd_disable_trans --> onThese two options were off I tried turning them on.This is another one of the commands I tried running. I did change a few options but I am not sure which I do need to change. I am running a stand alone server so I don't need the DC option.
[root@fileserver /]# getsebool -a | grep samba
samba_domain_controller --> off
samba_enable_home_dirs --> off
[code]....
Is there a reason why the selinux module for nagios just doesn't work? I'm running CentOS release 5.4 (Final) and did "yum install nagios" and now have nagios-3.2.0-1.el5.rf installed. I'm having to create policy after policy after policy, and still haven't reached the end of the rainbow.
I suppose after I run out of selinux violations, I could figure out how to combine all of these modules and post the result, but it seems really, really weird to think that I'm the only person who has ever installed nagios from the repo with SELinux enabled.
I have installed CentOS and Redhat5 on a LVM partition and selinux is enabled. Both OS's share the same /home partition with one user with the same login(gc) and same uid (1000). The problem I am having is that gc can login with all permissions etc on the OS that was installed first (CentOS). For the redhat OS gc can login but cannot write to the home directory (or startx since X needs to write to Xauthority)Here are outputs - 1st CentOS
[gc@shuttle ~]$ ll -Zd $HOME
drwx------ gc gc system_ubject_r:unlabeled_t /home/gc
[gc@shuttle ~]$ stat $HOME
[code]....
I'm running Apache on Centos 5.5, with active SELinux, and I'm having trouble getting my Perl script to write a file that doesn't yet exist to a folder which has the proper security context.
View 9 Replies View RelatedI am trying to use CentOS 5.4 to set up a secure laptop, largely because of it's SELinux functionality. Unfortunately I couldn't get wireless to work properly using the default NetworkManager so I installed wicd. Initially it buggered up my whole installation but after relabelling files using SEL I can now use my system again. but.. I can't use it with SELinux enabled, as it denies the required accesses for wicd to work. I also get similar SELinux denials for wpa_supplicant. A couple of snippets from /var/log/audit/audit.log -
[Code]....
I installed postfix and configured it but for some reason it keeps shutting down right after startup. Here is what happens,
[root@server /]# /etc/init.d/postfix restart
Shutting down postfix: [FAILED]
Starting postfix: [ OK ]
[code]....
I configure named and stumble upon the following problem: named is serious about user rights, every config file named uses should be named:named. I set rights to named:named as follows, but they get changed to root:named when I restart named as root. The same thing happens with SELinux context. This results in access denied type errors.
View 1 Replies View RelatedI have a webserver that I run myself utilizing CentOS 5.3. I added a postfix server just to send outgoing mail to people who are part of my webpage. I do not do any email exchange so I can actually receive email on the server, only send (if someone can help me out with that I'm willing to listen).Basically I want to add a disclaimer to the bottom of every email that gets sent out, no matter who sends the email, stating the the email is sent from an unmonitored email account so don't reply to the email. I followed the steps listed here [URL].. even though it was for Fedora 8 it seemed to do what I needed it to do. For some reason no matter who I send email with the disclaimer does not show up. I am doing masquerading so when the email gets send it shows it comes from my domain, not localhost.localdomain because most webservers block it assuming it is spam mail.
View 2 Replies View RelatedWhat is wrong with my yum :(Sendmail refuses to start ( doesnt give an error ) just doesnt start.Anyway, so i want to use postfix or qmail, but yum doesnt have them in.?
Any ideas how i can get postfix installed? Im getting soo tired of yum not actually having anything useful in it. [root@status1 ~]# cat /etc/redhat-release CentOS release 5.4 (Final)
I bought an SSL certificate that I am using for my whole website and would like to use that for postfix as well. I created my own as a test and it worked fine, but I want to use the one I bought because that is trusted, more secure, and the user doesn't get an untrusted popup every time they check their mail through outlook.
The problem is that I don't have a defined "key". I have two files, they are two certificate files. One is the website certificate and the other is a bundle certificate. I tried setting bundle as the key and the actual website cert as the certificate but that did not work. Can I do this? Is their a different type of cert I need to buy for this? What do I need to make "smtpd_tls_key_file" and "smtpd_tls_cert_file"?
My two files are, "sf_bundle.crt", and "website.com.crt".