3

I have to change my working platform from Ubuntu to Centos7.

My script is working fine on Ubuntu but not yet on Centos.

My script is supposed to update the /tmp/CheckAccessRight.log file, when the script is executed manually the "Write permission" is granted to the file.

test -w /tmp/CheckAccessRight.log

If the script is called via postfix, the "Write permission" is NOT granted to the file.

# cat /etc/aliases

check:  "|/home/owner/bin/CheckAccessRight.sh"

$ ls -l /etc/aliases*

-rw-r--r--. 1 root root  5730 Nov 10 11:53 /etc/aliases
-rw-r--r--. 1 root root 12288 Nov 10 11:53 /etc/aliases.db

$ ls -l /tmp/CheckAccessRight.log

-rw-rw-r--. 1 owner owner 7843 Nov 10 12:26 /tmp/CheckAccessRight.log

/etc/postfix/main.cf:default_privs = owner

Any idea ?

$ sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
Fdv
  • 119
  • 3
Fdv
  • 31
  • 1

1 Answers1

1

I checked the audit log:

*grep CheckAccessRight.log  /var/log/audit/audit.log*

type=AVC msg=audit(1541841282.927:466): avc: denied { write } for pid=10383 comm="vismail-dispatc" name="CheckAccessRight.log" dev="dm-0" ino=16777285 scontext=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

*semanage permissive -a postfix_local_t*
*semodule -l | grep permissive*

permissive_postfix_local_t (null)

permissivedomains (null)

I am progressing, "Write permission" on file is NOW granted when used by postfix!

Seems to be Ok !

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Fdv
  • 119
  • 3