SELinux prevents Postfix from reading cert files

Hi,

I work with Rocky Linux 8.6 and I have an issue with SELinux preventing Postfix from reading cert files. The files are as show bellow:

-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 4135 Mar 11  2019 gringott_pl.ca-bundle
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 2553 Sep 24 00:00 gringott_pl.crt
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 1788 Sep 24 21:44 gringott_pl.csr
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 3324 Sep 24 21:45 gringott_pl.key

The messages from audit log file are as follow:

type=AVC msg=audit(1668219580.939:7443): avc:  denied  { read } for  pid=1419526 comm="smtpd" name="gringott_pl.crt" dev="sda1" ino=134712188 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1668219580.939:7443): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fa33c97d40 a2=0 a3=0 items=0 ppid=1390459 pid=1419526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1668219580.939:7443): proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D6F007374726573733D002D730032
type=AVC msg=audit(1668219609.338:7444): avc:  denied  { search } for  pid=1419699 comm="smtp" name="httpd" dev="sda1" ino=990075 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1668219609.338:7444): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fc9d504f40 a2=0 a3=0 items=0 ppid=1390459 pid=1419699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtp" exe="/usr/libexec/postfix/smtp" subj=system_u:system_r:postfix_smtp_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1668219609.338:7444): proctitle=736D7470002D7400756E6978002D75

The same files must be readable for httpd.

I tried:

grep smtpd /var/log/audit/audit.log | audit2allow -M mymodule
semodule -i mymodule.pp

but it did not work for me :frowning:

Since I do not have much experience with SELinux, could you please advice on how to troubleshoot the issue further?

Thanks!

The trivial solution is that you create a copy of files for postfix that has proper SElinux context for postfix.
That makes the maintenance (update of certs) slightly more complex (must copy to both locations).

Instead of this, I have found a potential solution here, but still haven’t figured it out. Have to work on this more… or maybe is there anybody who could help with this approach…? (please see description bellow)

If you need to share files between 2 different generic domains, you need
to add rules to allow the access. For example, for the domain
myprocess_t and files in /var/www/html, which is labeled as
httpd_sys_content_t, you would use a module like this:

# cat > myprocess_httpd.cil <<EOF
(allow myprocess_t  httpd_sys_content_t (dir ( getattr open search )))
(allow myprocess_t httpd_sys_content_t (file ( getattr ioctl lock open read )))
EOF
# semodule -i myprocess_httpd.cil

For the moment I simply do not understand this :frowning:
Maybe other examples put more light on this.

What I think I need to do is to share gringott_pl.ca-bundle file, which is labeled as httpd_config_t with a domain postfix_etc_t.

Thanks!

In this case, it’s better to have the certs in two locations, one for httpd, and one for postfix.