Skip to content

Postfix vs. SELinux

I banged my head against this one for a couple hours:

Jun 10 18:40:38 myhost postfix/tlsmgr[17113]: fatal: tls_prng_exch_open: cannot open PRNG exchange file /var/lib/postfix/tls/prng_exch: Permission denied
Jun 10 18:40:39 myhost postfix/master[29715]: warning: process /usr/libexec/postfix/tlsmgr pid 17113 exit status 1
Jun 10 18:40:39 myhost postfix/master[29715]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling

I should have checked /var/log/messages, not just /var/log/maillog. It never occurred to me that it wasn’t an application error. Next time I connected to the xen console I found it was full of:

Jun 10 18:40:38 myhost kernel: audit(1181515238.322:6732): avc:  denied  { read write } for  pid=17113 comm="tlsmgr" name="prng_exch" dev=xvda3 ino=491990 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file

Ugh. Disable SELinux and everything worked fine. If somebody knows the SELinux incantation to make this work properly with SELinux on, please leave a comment.

2 thoughts on “Postfix vs. SELinux”

  1. To be honest, this is something you should be reporting to the FC/RH bugzilla.
    A related example (ntpd and FC7):

    Turn your SELINUX settings to permissive and see what audit2allow says about your logged messages concerning postgres and /var/lib/postfix/tls/prng_exch

    It looks to me, from a birds-eye view, that the file is just mislabeled. It’s got the generic context var_lib_t, when it should really have a context that associates it with files writable by the postmaster (look in postgres’s data directory for examples). Audit2allow might tell you to do something more drastic, like add a rule that lets postgres modify anything in /var/lib. Meh.

    Hence why you should add a bugzilla entry. This will probably get fixed up and pushed into upstream quickly.

Comments are closed.