[GF-Users] Postfix TLSRPT

Peter peter at pajamian.dhs.org
Wed Jun 18 00:42:33 MST 2025 

Okay, so I think the proper way to do this is:

Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set 
context for /var/run/tlsrpt to that type.

Create a new policy allowing write and sendto for postfix_smtp_t to 
tlsrpt_var_run_t.

That should allow postfix to access the socket properly without blowing 
out access to a bunch of other files as well.

This is a bit of advanced selinux for me so I'll work it out over the 
next day or so and add it to the tlsrpt-reporter package so it gets 
installed in %post.


Peter


On 18/06/25 16:18, Peter wrote:
> Actually I'll just put a note in a README file about it.  I don't want
> to open up those particular params by default.
> 
> I might be able to set the context of the socket to postfix_smtp_t, though.
> 
> 
> Peter
> 
> 
> On 18/06/25 15:48, Peter wrote:
>> I'll add the selinux module to the tlsrpt-reporter package, thanks.
>>
>> The original spec file was "stolen" from Fedora, but has been greatly
>> modified over several years by me, so not all of the credit goes to GF.
>> Also keep in mind that those are the actual make commands sent by
>> rpmbuild but a lot of it is compiled in the spec file and doesn't
>> actually look that complex or explicit.
>>
>>
>> Peter Ajamian
>>
>>
>> On 17/06/25 21:11, Michael Webb wrote:
>>> Peter. Agreed, thank you. 0777 is a bad idea, but my point was more that there is something else going on beyond regular file permissions preventing the socket connection on your build. I have since found that selinux is blocking the connection.
>>>
>>> >From my selinux audit log:
>>> ------------------------------------
>>> type=AVC msg=audit(1750140768.442:846): avc:  denied  { write } for  pid=3168 comm="smtp" name="tlsrpt-collectd.socket" dev="tmpfs" ino=1223 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
>>>
>>> I then confirmed postfix_smtp_t is the culprit
>>> audit2allow -a
>>> #============= postfix_smtp_t ==============
>>> allow postfix_smtp_t unconfined_service_t:unix_dgram_socket sendto;
>>> allow postfix_smtp_t var_run_t:sock_file write;
>>>
>>> #After setting the following, the gf postfix connection is working normally (with 0660) (and I can retire my custom build, yay)
>>> semanage permissive -a postfix_smtp_t
>>>
>>>
>>> Thanks also for sharing your compiler info in previous email. It was very informative to see how much more you are doing with your build, folder path selection and how you also use it to make the build rpm ready. I truly appreciate how much TLC that has gone into the project. Huge thank you!
>>>
>>> Mike
>>>
>>> -----Original Message-----
>>> From: users-bounces at lists.ghettoforge.org <users-bounces at lists.ghettoforge.org> On Behalf Of Peter
>>> Sent: Monday, June 16, 2025 10:40 PM
>>> To: users at lists.ghettoforge.org
>>> Subject: Re: [GF-Users] Postfix TLSRPT
>>>
>>> On 17/06/25 16:23, Peter wrote:
>>>>> Coincidentally I got the same error in my self-compiled system and I resolved by setting "socketmode = 0777" in collectd.cfg but it does not seem to help on the gf postfix install. I will keep looking and testing and report back if I find anything.
>>>>
>>>> It's generally not a good idea to set perms to 777, we should look at
>>>> the user and group settings on the socket and go from there.
>>>
>>> Try this:
>>> socketmode = 0660
>>> socketgroup = postfix
>>> socketuser = tlsrpt
>>>
>>> ...also try with 0666 and 0770 and let me know which combinations work.
>>>
>>>
>>> Peter
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.org
>> http://lists.ghettoforge.org/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.org
> http://lists.ghettoforge.org/mailman/listinfo/users

More information about the users mailing list