Wednesday, January 11

CentOS/RHEL 7, SELinux prevents MailScanner stop sendmail processes

I configured MailScanner work on Sendmail on CentOS 7, it work's fine with SELinux disabled.
SELinux prevented it work normally.
I used "cat /var/log/audit/audit.log | audit2allow -M fixfile" method to make it work with SELinux enabled.

However, with SELinux enabled I still got a little problem. When I stop the MailScanner service, the "sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue" process will keep running, until I kill it. With SELinux disabled/permissive, no problem, all sendmail process will stop when I stop MailScanner.
I tried to repeat the audit2allow method a few time, but still can't make the MailScanner kill all sendmail process while service stop.

[root@mta3 ~]# getenforce
Enforcing
[root@mta3 ~]# ps -ef|grep -i mail
root      5743     1  0 15:46 ?        00:00:00 sendmail: accepting connections
smmsp     5747     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
root      5751     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
root      5771     1  0 15:46 ?        00:00:00 MailScanner: master waiting for children, sleeping
root      5772  5771  4 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5821  5771  6 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5868  5771  7 15:46 ?        00:00:01 MailScanner: waiting for messages
root      5916  5771 11 15:47 ?        00:00:01 MailScanner: waiting for messages
root      5963  5771 20 15:47 ?        00:00:01 MailScanner: waiting for messages

[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
   Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
  Drop-In: /etc/systemd/system/MailScanner.service.d
           └─custom_script.conf
   Active: active (running) since Thu 2017-01-05 15:46:47 HKT; 13s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 5697 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
  Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
 Main PID: 5771 (MailScanner: st)
   CGroup: /system.slice/MailScanner.service
           ├─5743 sendmail: accepting connections
           ├─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
           ├─5751 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
           ├─5771 MailScanner: starting children
           ├─5772 MailScanner: waiting for messages
           ├─5821 MailScanner: waiting for messages
           └─5868 MailScanner: waiting for messages

[root@mta3 ~]# systemctl stop MailScanner

[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
   Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
  Drop-In: /etc/systemd/system/MailScanner.service.d
           └─custom_script.conf
   Active: inactive (dead) since Thu 2017-01-05 15:47:44 HKT; 2min 45s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6018 ExecStop=/etc/rc.d/init.d/MailScanner stop (code=exited, status=0/SUCCESS)
  Process: 5728 ExecStart=/etc/rc.d/init.d/MailScanner start (code=exited, status=0/SUCCESS)
 Main PID: 5771 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/MailScanner.service
           └─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue


[root@mta3 ~]# ps -ef|grep -i mail
smmsp     5747     1  0 15:46 ?        00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue

Solution:
I located the issue finally.

In the stop section of  /etc/init.d/MailScanner, it kills the process base on the PID in /var/run/*.pid.
The I found /var/run/sm-client.pid is blank if SELinux is enforced.

Then I checked the start section of /etc/init.d/MailScanner, it starts sm-client with the following commands:

touch /var/run/sm-client.pidchown smmsp:smmsp /var/run/sm-client.pid/usr/sbin/sendmail -L sm-msp-queue -Ac -q15m -OPidFile=/var/run/sm-client.pid

Open in new window

SELinux prevented the sendmail process to write the /var/run/sm-client.pid, I don't know why audit2allow can't fix this.
Then, I edit the /etc/init.d/MailScanner, added "restorecon /var/run/sm-client.pid" right after the chown command to fix correct the permission before sm-client start.

It works now.

Finally working codes in /etc/init.d/MailScanner:
touch /var/run/sm-client.pid
chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid 2>/dev/null
restorecon $SMPID
$SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID 2>/dev/null