SELinux enabled

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
hbatelaan
Posts: 10
Joined: Fri Mar 31, 2017 10:24 am

SELinux enabled

Postby hbatelaan » Wed Jun 07, 2017 5:57 pm

Hi all,

Is it possible to have SELinux enabled on a machine with a Zimbra installation? If so, how?

I'm running CentOS 7 with Zimbra 8.7.10 GA.

Thanks and regards,
Henk


hbatelaan
Posts: 10
Joined: Fri Mar 31, 2017 10:24 am

Re: SELinux enabled

Postby hbatelaan » Mon Jun 12, 2017 7:32 am

Any feedback is greatly appreciated.
User avatar
DualBoot
Elite member
Elite member
Posts: 1073
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: SELinux enabled

Postby DualBoot » Mon Jul 10, 2017 8:44 pm

Yes you can and SElinux is enabled by default.
hbatelaan
Posts: 10
Joined: Fri Mar 31, 2017 10:24 am

Re: SELinux enabled

Postby hbatelaan » Mon Jul 31, 2017 12:37 pm

Hi! Thank you for your feedback. All walkthroughs I've found, a couple of months ago, said to disable SELinux. Both Linux and Zimbra were new to me at the time, so I just followed the walkthroughs and disabled SELinux. You are saying it can be enabled? I can just enable SELinux without any problems?
hbatelaan
Posts: 10
Joined: Fri Mar 31, 2017 10:24 am

Re: SELinux enabled

Postby hbatelaan » Tue Aug 01, 2017 9:01 am

Enabled SELinux, rebooted, checked that SELInux is enforcing, checked Zimbra services, checked mailflows, webmail, website, etc. All seems to be working. Thanks.
User avatar
DualBoot
Elite member
Elite member
Posts: 1073
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: SELinux enabled

Postby DualBoot » Tue Aug 01, 2017 4:47 pm

Zimbra advise about disabling SELinux, but for me I always let the default SELinux configuration.
Regards,
User avatar
iodisciple
Posts: 20
Joined: Mon Oct 09, 2017 2:38 pm
Location: Rotterdam
ZCS/ZD Version: Zimbra 8.7.11_GA_1854

Re: SELinux enabled

Postby iodisciple » Thu Oct 26, 2017 2:09 pm

I've discovered that a lot of people don't get SELinux and therefore disable it. This is not only concerning Zimbra, but a lot of stuff. When you do some reading though like here:
https://wiki.centos.org/HowTos/SELinux

some looking around and some testing, you discover that SELinux is not THAT hard and had some great logging features (which tell you what is the problem and how to potentially solve it). For Zimbra, looking at the logs, I've found out that Zimbra logging won't work 100% when SELinux is enforcing. It is easily solvable though.

I can recommend this entry level course that explains the fundamentals:
https://app.pluralsight.com/library/cou ... f-contents
juan_urtiaga
Posts: 5
Joined: Mon Jan 23, 2017 7:44 pm

Re: SELinux enabled

Postby juan_urtiaga » Thu Aug 22, 2019 4:08 pm

Hello,

In my opinion generally enable Selinux is relative easy but.... to be sure everything else working after is not. And Zimbra is not the exception.

First you should enable selinux and restart the server. Depending on your filesystem it can take several minutes to selinux label every file.
Now you have the selinux auditing the zimbra processes and generating logs. Now you should reproduce all the critical situations (Restart services, send mails, access though every protocol, admin console)

In my case I found many "deny" on the logs. Based on this deny you should generate new selinux policy to enable zimbra processes to their job.
This is not easy, but there are some helpful tools. Im my case did not worked for every alert.

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

After adding the policies repeat the test and report until you don't see deny in the logs.

[root@server ~]$ sealert -a /var/log/audit/audit.log
100% done found 0 alerts in /var/log/audit/audit.log

Finally change selinux mode to enforcing.

Good Luck!
Regards,
Juan

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 12 guests