SELinux prevented it work normally.
I used "cat /var/log/audit/audit.log | audit2allow -M fixfile" method to make it work with SELinux enabled.
However, with SELinux enabled I still got a little problem. When I stop the MailScanner service, the "sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue" process will keep running, until I kill it. With SELinux disabled/permissive, no problem, all sendmail process will stop when I stop MailScanner.
I tried to repeat the audit2allow method a few time, but still can't make the MailScanner kill all sendmail process while service stop.
[root@mta3 ~]# getenforce
Enforcing
[root@mta3 ~]# ps -ef|grep -i mail
root 5743 1 0 15:46 ? 00:00:00 sendmail: accepting connections
smmsp 5747 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
root 5751 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
root 5771 1 0 15:46 ? 00:00:00 MailScanner: master waiting for children, sleeping
root 5772 5771 4 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5821 5771 6 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5868 5771 7 15:46 ? 00:00:01 MailScanner: waiting for messages
root 5916 5771 11 15:47 ? 00:00:01 MailScanner: waiting for messages
root 5963 5771 20 15:47 ? 00:00:01 MailScanner: waiting for messages
[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/MailScanner.serv ice.d
└─custom_script.conf
Active: active (running) since Thu 2017-01-05 15:46:47 HKT; 13s ago
Docs: man:systemd-sysv-generator(8)
Process: 5697 ExecStop=/etc/rc.d/init.d/MailScanne r stop (code=exited, status=0/SUCCESS)
Process: 5728 ExecStart=/etc/rc.d/init.d/MailScann er start (code=exited, status=0/SUCCESS)
Main PID: 5771 (MailScanner: st)
CGroup: /system.slice/MailScanner.service
├─5743 sendmail: accepting connections
├─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
├─5751 sendmail: Queue runner@00:15:00 for /var/spool/mqueue
├─5771 MailScanner: starting children
├─5772 MailScanner: waiting for messages
├─5821 MailScanner: waiting for messages
└─5868 MailScanner: waiting for messages
[root@mta3 ~]# systemctl stop MailScanner
[root@mta3 ~]# systemctl status MailScanner
● MailScanner.service - SYSV: MailScanner is an open-source E-Mail Gateway Virus Scanner.
Loaded: loaded (/etc/rc.d/init.d/MailScanner; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/MailScanner.serv ice.d
└─custom_script.conf
Active: inactive (dead) since Thu 2017-01-05 15:47:44 HKT; 2min 45s ago
Docs: man:systemd-sysv-generator(8)
Process: 6018 ExecStop=/etc/rc.d/init.d/MailScanne r stop (code=exited, status=0/SUCCESS)
Process: 5728 ExecStart=/etc/rc.d/init.d/MailScann er start (code=exited, status=0/SUCCESS)
Main PID: 5771 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/MailScanner.service
└─5747 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
[root@mta3 ~]# ps -ef|grep -i mail
smmsp 5747 1 0 15:46 ? 00:00:00 sendmail: Queue runner@00:15:00 for /var/spool/clientmqueue
Solution:
I located the issue finally.
In the stop section of /etc/init.d/MailScanner, it kills the process base on the PID in /var/run/*.pid.
The I found /var/run/sm-client.pid is blank if SELinux is enforced.
Then I checked the start section of /etc/init.d/MailScanner, it starts sm-client with the following commands:
touch /var/run/sm-client.pidchown smmsp:smmsp /var/run/sm-client.pid/usr/sbin/sendmail -L sm-msp-queue -Ac -q15m -OPidFile=/var/run/sm-client.pid
Open in new window
SELinux prevented the sendmail process to write the /var/run/sm-client.pid, I don't know why audit2allow can't fix this.
Then, I edit the /etc/init.d/MailScanner, added "restorecon /var/run/sm-client.pid" right after the chown command to fix correct the permission before sm-client start.
It works now.
Finally working codes in /etc/init.d/MailScanner:
touch /var/run/sm-client.pid
chown $MSPUSER:$MSPGROUP /var/run/sm-client.pid 2>/dev/null
restorecon $SMPID
$SENDMAIL -L sm-msp-queue -Ac -q15m -OPidFile=$SMPID 2>/dev/null
No comments:
Post a Comment