SELinux — Troubleshoot & Solve Specific Issues

COMMANDS TO FIND AND FIX MISCONFIGURATIONS IN SELinux ON A SERVER

Assumptions:

Installed rpms:
yum install setroubleshoot-server
yum install policycoreutils-python

Verify problem:

On different server ran : telnet mail6.its.uconn.edu 25

[root@mail4 bin]# telnet mail6.its.uconn.edu 25
Trying 137.99.51.69...
Connected to mail6.its.uconn.edu.
Escape character is '^]'.

connection happens but is not correct

Example of correct connection: telnet mail5.its.uconn.edu 25

[root@mail4 bin]# telnet mail5.its.uconn.edu 25
Trying 137.99.51.68...
Connected to mail5.its.uconn.edu.
Escape character is '^]'.
220 mail5.its.uconn.edu ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

SECTION A

1. Pull data from log files to identify what SELinux is preventing, by running the command:

ausearch -m AVC,USER_AVC -ts recent

Typical OUTPUT:

time->Wed Dec 4 12:25:43 2019
type=PROCTITLE msg=audit(1575480343.280:173999): proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D6F007374726573733D002D730032
type=SYSCALL msg=audit(1575480343.280:173999): arch=c000003e syscall=2 success=no exit=-13 a0=55d60928ab10 a1=2 a2=0 a3=3 items=0 ppid=25277 pid=12626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1575480343.280:173999): avc: denied { read write } for pid=12626 comm="smtpd" name="inet.smtp" dev="dm-2" ino=8394101 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0

SECTION B

1. Pull data based on timestamp in “ausearch” command output, by running the command:

journalctl -t setroubleshoot --since=12:25

Dec 04 12:25:47 mail6.its.uconn.edu setroubleshoot[12631]: SELinux is preventing smtpd from 'read, write' accesses on the file inet.smtp. For complete SELinux messages run: sealert -l 8c893ceb-e3d3-425f-9be7-0229645517ef

SECTION C

1. Pull data based on output of “journalctl” command output, by running the command:

sealert -l 8c893ceb-e3d3-425f-9be7-0229645517ef

Typical OUTPUT:

SELinux is preventing smtpd from 'read, write' accesses on the file inet.smtp.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that smtpd should be allowed read write access on the inet.smtp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
# semodule -i my-smtpd.pp

Additional Information:
Source Context system_u:system_r:postfix_smtpd_t:s0
Target Context unconfined_u:object_r:var_run_t:s0
Target Objects inet.smtp [ file ]
Source smtpd
Source Path smtpd
Port <Unknown>
Host mail6.its.uconn.edu
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name mail6.its.uconn.edu
Platform Linux mail6.its.uconn.edu
3.10.0-1062.4.1.el7.x86_64 #1 SMP Wed Sep 25
09:42:57 EDT 2019 x86_64 x86_64
Alert Count 7
First Seen 2019-12-04 12:23:40 EST
Last Seen 2019-12-04 12:29:47 EST
Local ID 8c893ceb-e3d3-425f-9be7-0229645517ef

Raw Audit Messages
type=AVC msg=audit(1575480587.475:174010): avc: denied { read write } for pid=12955 comm="smtpd" name="inet.smtp" dev="dm-2" ino=8394101 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0

Hash: smtpd,postfix_smtpd_t,var_run_t,file,read,write

 

NOTICE: The solution to the problem has been highlighted in “green” in the above output.