SELINUX: restorecon cut my server from accessing POP

[kharvatis]

Hi all.

After messing up my selinux configuration, I ended up with mysql not running. Restorecon fixed that, but I ended up with my apache not being able to access POP servers on the outside world. And now my customer support software is sitting idle not fetching messages.

In the first place I stil don't know what I did wrong. My first problem was not being able to send email from certain SMTP relays. So I started trying things; ended up trying to disable selinux altogether. Then mysql broke. I fixed that with restorecon, but ended up with the POP problem (sending through the old SMTP still works). Current sestatus is

Code: Select all

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

and I have no idea how to troubleshoot this situation. Any ideas?

(And after that, I will still have my initial problem of not being able to access certain SMTPs...)

[TrevorH]

Check the output from getsetbool -a | grep httpd_can_network and see if there is a boolean you forgot to set persistent.

[Whoever]

Check the output from getserbool -a | grep httpd_can_network and see if there is a boolean you forgot to set persistent.

Code: Select all

getsebool -a | grep httpd_can_network

There is no "r" in getsebool.

[TrevorH]

One day, I must learn to type.

[kharvatis]

Hi all! I am sorry for such a delayed reply, but since then my server is messed up, giving me all kinds of trouble (including not reaching certain SMTP servers, not curling certain sites) and my software is down (not being able to reach its license, curl error 6) with company-wide effects. I'll be back

BTW:

httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off

[kharvatis]

...so after thinking about it, perhaps a much more useful question would be this:

I started by disabling the firewall (because server couldn't reach certain SMTP servers --not POP, that came afterwards)
- sudo setenforce 0
- /etc/selinux/config >> SELINUX=disabled
- restart

Seeing that there is no change in my SMTP problem, I get the firewall back to its previous condition, reversing above step & setenforce 1.

Then... everything breaks! FIrst and most important sympton is the POP problem. So I panic and start tracing back the errors I'm getting, and in the process I perform several restorecon and chcon commands, trying to get Apache back in working order.

I'm ending up in a better place, although still having my initial SMTP issue. I have POP again, but... my software seems not being able to curl. I can ping & curl from the terminal, but my software can't. And while I'm trying as we speak to resolve that, my question would be:
If someone messes up selinux without knowing 100% what they're doing (restorecon...) how would one bring the firewall back in its initial or default state?

[jlehtone]

SELinux is not usually called "firewall". The "firewall" does filter network traffic and is a separate subsystem. They are separate layers of defence.

SELinux has a database of rules. The 'restorecon' restores the SE contexts of files to match what the rules say. In other words, the restorecon restores file attributes "to defaults". Obviously, if you update rules first (with semanage), then you have "new default".

[TrevorH]

sudo setenforce 0
- /etc/selinux/config >> SELINUX=disabled
- restart

Steps 2 & 3 were unnecessary as setenforce 0 already did everything you needed to know. And selinux has nothing to do with firewalls - for that it is iptables. If using setenforce 0 did not solve your problem then the problem is not with selinux.

However, if you do steps 2 & 3 above then you cannot simply reverse them like that as anything created while it was disabled will have no selinux contents and anything that tries to access those things will fail. To properly reverse disabling selinux you must change the config file to permissive then reboot then also touch /.autorelabel && reboot then set it enabled in the config again and reboot again. This is why it's such a good idea NOT to do steps 2 & 3!

[kharvatis]

Thank you guys! Need to study more...

However, my brain is melting because I still can't figure out what-is-blocking-what, and both points of possible conflict (my Cisco ASA firewall and the software & its support agent) claim that it is not their fault. Which I can -more or less- verify (I've opened all IP traffic on ASA, and I can curl from the terminal), so instinct says that it's something *I* broke within my Centos with the above messing with SEL.

Could it be possible that I myself can curl, and at the same time httpd cannot?

[TrevorH]

If you re-run setenforce 0 and retest and the problem still exists then the problem is not selinux.

So the problem you are experiencing is that you have some software that runs under Apache httpd and attempts to connect to a POP mailbox on port 110 or 995? How does it do that? Does it use libcurl or does it invoke a shell and call the curl command directly?