I banged my head against this one for a couple hours:
Jun 10 18:40:38 myhost postfix/tlsmgr[17113]: fatal: tls_prng_exch_open: cannot open PRNG exchange file /var/lib/postfix/tls/prng_exch: Permission denied
Jun 10 18:40:39 myhost postfix/master[29715]: warning: process /usr/libexec/postfix/tlsmgr pid 17113 exit status 1
Jun 10 18:40:39 myhost postfix/master[29715]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
I should have checked /var/log/messages, not just /var/log/maillog. It never occurred to me that it wasn’t an application error. Next time I connected to the xen console I found it was full of:
Jun 10 18:40:38 myhost kernel: audit(1181515238.322:6732): avc: denied { read write } for pid=17113 comm="tlsmgr" name="prng_exch" dev=xvda3 ino=491990 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file
Ugh. Disable SELinux and everything worked fine. If somebody knows the SELinux incantation to make this work properly with SELinux on, please leave a comment.
To be honest, this is something you should be reporting to the FC/RH bugzilla.
A related example (ntpd and FC7):
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=242215
Turn your SELINUX settings to permissive and see what audit2allow says about your logged messages concerning postgres and /var/lib/postfix/tls/prng_exch
It looks to me, from a birds-eye view, that the file is just mislabeled. It’s got the generic context var_lib_t, when it should really have a context that associates it with files writable by the postmaster (look in postgres’s data directory for examples). Audit2allow might tell you to do something more drastic, like add a rule that lets postgres modify anything in /var/lib. Meh.
Hence why you should add a bugzilla entry. This will probably get fixed up and pushed into upstream quickly.
You might try setroubleshooter:
http://danwalsh.livejournal.com/7212.html
Comments are closed.