Hi,
I work with Rocky Linux 8.6 and I have an issue with SELinux preventing Postfix from reading cert files. The files are as show bellow:
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 4135 Mar 11 2019 gringott_pl.ca-bundle
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 2553 Sep 24 00:00 gringott_pl.crt
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 1788 Sep 24 21:44 gringott_pl.csr
-rwxrwx---. 1 root apache unconfined_u:object_r:httpd_config_t:s0 3324 Sep 24 21:45 gringott_pl.key
The messages from audit log file are as follow:
type=AVC msg=audit(1668219580.939:7443): avc: denied { read } for pid=1419526 comm="smtpd" name="gringott_pl.crt" dev="sda1" ino=134712188 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1668219580.939:7443): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fa33c97d40 a2=0 a3=0 items=0 ppid=1390459 pid=1419526 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1668219580.939:7443): proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D6F007374726573733D002D730032
type=AVC msg=audit(1668219609.338:7444): avc: denied { search } for pid=1419699 comm="smtp" name="httpd" dev="sda1" ino=990075 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1668219609.338:7444): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55fc9d504f40 a2=0 a3=0 items=0 ppid=1390459 pid=1419699 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtp" exe="/usr/libexec/postfix/smtp" subj=system_u:system_r:postfix_smtp_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1668219609.338:7444): proctitle=736D7470002D7400756E6978002D75
The same files must be readable for httpd.
I tried:
grep smtpd /var/log/audit/audit.log | audit2allow -M mymodule
semodule -i mymodule.pp
but it did not work for me
Since I do not have much experience with SELinux, could you please advice on how to troubleshoot the issue further?
Thanks!