Skip to main content

Configuring SELinux when using Postfix or Sendmail milter

This section describes how to configure SELinux to allow email traffic when using Bitdefender milters for Postfix and Sendmail.

Bitdefender Security for Mail Servers protects Windows or UNIX-based mail servers for known and unknown security threats with award winning proactive antivirus, antispyware, antispam, antiphishing, content and attachment filtering technologies. The solution secures organizations email services and provides increased productivity by blocking spam and providing common centralized management tools.

Overview

On mail servers with SELinux in enforcing mode (default setting), the SELinux policy prevents Bitdefender milter agents to integrate with Postfix and Sendmail mail traffic agents (MTA). As a consequence, the email server drops all email traffic.

To solve this issue, you have to create a series of security policy exceptions. Given below are the steps to create SELinux exceptions for each MTA.

Prerequisites

The policycoreutils-python package must be installed. The package contains the audit2allow script, needed to create the SELinux policy modules.

The policycoreutils-python package is not installed by default.

To verify you have the package on your system, run:

  1. On Red Hat based distributions

    $ rpm -qa policycoreutils-python

  2. On Debian based distributions

    $ dpkg –s policycoreutils-python

To install the package, run:

  1. On Red Hat based distributions

    # yum install policycoreutils-python

  2. On Debian based distributions

    # apt-get update # apt-get install policycoreutils-python

Troubleshooting

SELinux logs all its actions in /var/log/audit/audit.log. Audit2allow uses the log entries generated by the "deny" actions to build exceptions.

Follow these steps to configure SELinux with audit2allow:

For Postfix milter

  1. For the log entry below, build the SELinux module, allowing smtp to write on the socket created by Bitdefender:

    type=AVC msg=audit(1420639482.638:359): avc: denied { write } for pid=2628 comm="smtpd" name="bdmilterd.sock" dev="dm-1" ino=17433124 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file

    # grep "denied { write }" /var/log/audit/audit.log|grep "smtpd"|audit2allow -M smtpd-write

    The resulted module consists of two files:

    • smtpd-write.te, a type enforcement file

    • smtpd-write.pp, a policy package file

  2. Load the package into the policy.

    # semodule -i smtpd-write.pp

  3. Create another policy, allowing smtp to connect to the socket file for the following log entry:

    type=AVC msg=audit(1420712445.141:616): avc: denied { connectto } for pid=4292 comm="smtpd" path="/var/spool/postfix/BitDefender/bdmilterd.sock" scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket

    # grep "denied { connectto }" /var/log/audit/audit.log|grep "smtpd"|audit2allow -M smtpd-connectto

    The resulted files: smtpd-connectto.te, smtpd-connectto.pp

  4. Load the package into the policy.

    # semodule -i smtpd-connectto.pp

  5. To view the installed policy modules, run:

    # semodule -l

For Sendmail milter

  1. For the log entry below, build the SELinux module that allows sendmail to read the attributes of the socket created by Bitdefender:

    type=AVC msg=audit(1420728867.579:709): avc: denied { getattr } for pid=5805 comm="sendmail" path="/run/BitDefender/bdmilterd.sock" dev="tmpfs" ino=334905 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=sock_file

    # grep "denied { getattr }" /var/log/audit/audit.log|grep "sendmail"|audit2allow -M sendmail-gettattr

    The resulted module consists of two files:

    • sendmail-gettattr.te, a type enforcement file

    • sendmail-gettattr.pp, a policy package file

  2. Load the package into the policy.

    # semodule -i sendmail-gettattr.pp

  3. For the log entry below, build the SELinux module, allowing sendmail to write on the socket created by Bitdefender:

    type=AVC msg=audit(1420729472.802:720): avc: denied { write } for pid=5881 comm="sendmail" name="bdmilterd.sock" dev="tmpfs" ino=334905 scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:object_r:init_var_run_t:s0 tclass=sock_file

    # grep "denied { write }" /var/log/audit/audit.log|grep "sendmail"|audit2allow -M sendmail-write

    The resulted files: sendmail-write.te, sendmail-write.pp

  4. Load the package into the policy.

    # semodule -i sendmail-write.pp

  5. For the following log entry, create a policy, allowing sendmail to connect to the socket file:

    type=AVC msg=audit(1420730220.602:729): avc: denied { connectto } for pid=5999 comm="sendmail" path="/run/BitDefender/bdmilterd.sock" scontext=system_u:system_r:sendmail_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

    # grep "denied { connectto }" /var/log/audit/audit.log|grep "sendmail"|audit2allow -M sendmail-connectto

    The resulted files: sendmail-connectto.te, sendmail- connectto.pp

  6. Load the package into the policy.

    # semodule -i sendmail-connectto.pp

  7. To view the installed policy modules, run:

    # semodule -l