Pages

November 10, 2014

RHEL 7 + selinux + sendmail greylisting

If you have combination RHEL 7 + selinux + sendmail greylisting (smf-grey), maybe this will help you resolve problems.

First identify from /var/log/audit/audit.log lines, which are related to your case, for example:

type=AVC msg=audit(1415573843.208:2609): avc:  denied  { getattr } for  pid=12969 comm="sendmail" path="/run/smfs/smf-grey.sock" dev="tmpfs" ino=65392 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1415575051.524:3068): avc:  denied  { write } for  pid=13609 comm="sendmail" name="smf-grey.sock" dev="tmpfs" ino=65392 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1415575527.915:3082): avc:  denied  { connectto } for  pid=13759 comm="sendmail" path="/run/smfs/smf-grey.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

Install packages policycoreutils, policycoreutils-python, checkpolicy and setroubleshoot. Now execute:
cat file_with_needed_audit_lines |audit2allow -m greylist > greylist.te
checkmodule -M -m -o greylist.mod greylist.te
semodule_package -m greylist.mod -o greylist.pp
semodule -i greylist.pp

Oh, and if you need to enable other ports to some services, use semanage, example:

semanage port -l | grep smtp
semanage port -a -t smtp_port_t -p tcp 2525

No comments:

Post a Comment