09Selinux - amagerard/Mail GitHub Wiki
| 1- Network | 2- Postfix | 3- Dovecot | 4- Postfixadmin | 5- PostfixMariaDB | 6- DovecotMariaDB |
|---|---|---|---|---|---|
| 7- RelaySmtp | 8- Troubleshoot | 9- Selinux | 10- GnomeShell | 11- Backup |
See TemplateVM-selinux.
Check that setroubleshoot is present.
rpm -qa| grep setroubleshoot
rpm -qa| grep setools-console
If not present, it will have to be installed.
dnf install setroubleshoot setools-console
selinux is permissive.
getenforce
Permissive
Stop services.
systemctl stop nginx
systemctl stop mariadb
systemctl stop php-fpm
systemctl stop postfix
systemctl stop dovecot
Open a console as root.
journalctl -f
or
journalctl -t setroubleshoot
or
journalctl | grep ausearch
Open another console as root.
The log shows selinux errors and offers solution(s).
systemctl start <service>
systemctl status <service>
Example:
When you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
You must do.
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
The answer will be.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-phpfpm.pp
Type the answer.
semodule -i my-phpfpm.pp
Restart the service as many times until you no longer have selinux alert messages.
After fixing all selinux alerts.
Check services.
systemctl start mariadb
systemctl status mariadb
systemctl start nginx
systemctl status nginx
systemctl start php-fpm
systemctl status php-fpm
systemctl start postfix
systemctl status postfix
systemctl start dovecot
systemctl status dovecot
But this is not enough.
Selinux blocks access to web applications.
You must redo exactly all operations on the web interface and check for selinux errors in the log.
If you managed to delete all the selinux messages, I say congratulations.
Switching to selinux "enforcing".
vi /etc/crontab
# enable selinux enforcing
#@reboot root setenforce 0
restart your server.
reboot ou init 6
Selinux creates files that start with my-<..> .pp.
I didn't find the reason why and whose fault it is.
I delete all these files.
cd /
find . -name my-"*".pp -exec rm {} \;