Mailborder SELinux Guide

Mailborder v4.1.9

 

General
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux follows the model of least-privilege more closely. By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function. If a service, program or user susequently tries to access or modify a file or resource not necessary for it to function, then access is denied and the action is can be logged.

Mailborder Specific
SELinux often causes problems for newly developed applications and in turn many developers disable SELinux. However, this is not the case with Mailborder servers. SELinux is set to permissive on all new Mailborder servers running under Red Hat or CentOS v6.x. (And other variants.) To allow the specific functions of Mailborder servers to execute, a custom policy needs to be created for each Mailboder server before returning the server to the enforcing mode.

While the a custom policy should enable all required features for Mailborder servers to function correctly, a single solution does not always fit all environments. Therefore, the policy should not be copied to servers within the Mailborder cluster. Each server should have its own custom SELinux policy generated on the server itself using the below guide. If you do encounter access errors on a Mailborder server and have determined that the problem is in fact SELinux, you can easily generate additional policy sets and load them without having to disable SELinux. This only has to be done once. Policy additions survive system reboots.

 

Example problem: Something with Postfix is not working properly on the server. Upon reviewing the audit log you find that SELinux is blocking a required action.

Solution: You can parse the file /var/log/audit/audit.log and generate an additional policy. To do this for Postfix only, the following code would be executed:

# grep postdrop /var/log/audit/audit.log | audit2allow -M postfixlocal

The name postfixlocal can be anything you like. This is simply what the output is being named. Displaying the postfixlocal.te file with cat in this example reveals the following:

# cat postfixlocal.te
    module postfixlocal 1.0;
    require {
            type httpd_log_t;
            type postfix_postdrop_t;
            class dir getattr;
            class file { read getattr };
    }
    #============= postfix_postdrop_t ==============
    allow postfix_postdrop_t httpd_log_t:file getattr;

After reviewing the policy for validity it can be implemented like this:

# semodule -i postfixlocal.pp

 

Combined Policy

To create a policy for all errors encountered in the audit log, the following command would produce a combined policy:

# grep denied /var/log/audit/audit.log | audit2allow -M combinedPolicy

Review the policy by examing the combinedPolicy.te file that was created. To implement the policy:

# semodule -i combinedPolicy.pp

 

Additional Steps

If you are unsure if SELinux is the root cause of the problem, you can temporarily disable it by editing the SELinux configuration file and setting it to disabled. A reboot is required for the changes to take effect. However, do not leave SELinux permanently disabled! 

# vi /etc/selinux/config

Change enforcing to disabled for testing.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Save the file and reboot. Run your tests again. If what you are testing still does not work, it is probably not SELinux causing the problem.

 

NOTE: SELinux can still block some events in permissive mode.

To make aboslutely sure SELinux is not the culprit, it must be set to disabled for testing.


Mailborder Privacy and Terms

User information submitted on this site is strictly guarded and not shared with third parties. While transaction information from sales is recorded, credit card information is not stored on Mailborder servers. For a complete overview review Website Terms and Conditions of Use.