[GF-Users] Postfix TLSRPT

Peter peter at pajamian.dhs.org
Tue Jun 17 20:48:06 MST 2025 

I'll add the selinux module to the tlsrpt-reporter package, thanks.

The original spec file was "stolen" from Fedora, but has been greatly 
modified over several years by me, so not all of the credit goes to GF. 
Also keep in mind that those are the actual make commands sent by 
rpmbuild but a lot of it is compiled in the spec file and doesn't 
actually look that complex or explicit.


Peter Ajamian


On 17/06/25 21:11, Michael Webb wrote:
> Peter. Agreed, thank you. 0777 is a bad idea, but my point was more that there is something else going on beyond regular file permissions preventing the socket connection on your build. I have since found that selinux is blocking the connection.
> 
>>From my selinux audit log:
> ------------------------------------
> type=AVC msg=audit(1750140768.442:846): avc:  denied  { write } for  pid=3168 comm="smtp" name="tlsrpt-collectd.socket" dev="tmpfs" ino=1223 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
> 
> I then confirmed postfix_smtp_t is the culprit
> audit2allow -a
> #============= postfix_smtp_t ==============
> allow postfix_smtp_t unconfined_service_t:unix_dgram_socket sendto;
> allow postfix_smtp_t var_run_t:sock_file write;
> 
> #After setting the following, the gf postfix connection is working normally (with 0660) (and I can retire my custom build, yay)
> semanage permissive -a postfix_smtp_t
> 
> 
> Thanks also for sharing your compiler info in previous email. It was very informative to see how much more you are doing with your build, folder path selection and how you also use it to make the build rpm ready. I truly appreciate how much TLC that has gone into the project. Huge thank you!
> 
> Mike
> 
> -----Original Message-----
> From: users-bounces at lists.ghettoforge.org <users-bounces at lists.ghettoforge.org> On Behalf Of Peter
> Sent: Monday, June 16, 2025 10:40 PM
> To: users at lists.ghettoforge.org
> Subject: Re: [GF-Users] Postfix TLSRPT
> 
> On 17/06/25 16:23, Peter wrote:
>>> Coincidentally I got the same error in my self-compiled system and I resolved by setting "socketmode = 0777" in collectd.cfg but it does not seem to help on the gf postfix install. I will keep looking and testing and report back if I find anything.
>>
>> It's generally not a good idea to set perms to 777, we should look at
>> the user and group settings on the socket and go from there.
> 
> Try this:
> socketmode = 0660
> socketgroup = postfix
> socketuser = tlsrpt
> 
> ...also try with 0666 and 0770 and let me know which combinations work.
> 
> 
> Peter
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.org
> http://lists.ghettoforge.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.org
> http://lists.ghettoforge.org/mailman/listinfo/users

More information about the users mailing list