Hi all,
Is it possible to have SELinux enabled on a machine with a Zimbra installation? If so, how?
I'm running CentOS 7 with Zimbra 8.7.10 GA.
Thanks and regards,
Henk
SELinux enabled
Re: SELinux enabled
Any feedback is greatly appreciated.
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: SELinux enabled
Yes you can and SElinux is enabled by default.
Re: SELinux enabled
Hi! Thank you for your feedback. All walkthroughs I've found, a couple of months ago, said to disable SELinux. Both Linux and Zimbra were new to me at the time, so I just followed the walkthroughs and disabled SELinux. You are saying it can be enabled? I can just enable SELinux without any problems?
Re: SELinux enabled
Enabled SELinux, rebooted, checked that SELInux is enforcing, checked Zimbra services, checked mailflows, webmail, website, etc. All seems to be working. Thanks.
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: SELinux enabled
Zimbra advise about disabling SELinux, but for me I always let the default SELinux configuration.
Regards,
Regards,
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: SELinux enabled
I've discovered that a lot of people don't get SELinux and therefore disable it. This is not only concerning Zimbra, but a lot of stuff. When you do some reading though like here:
https://wiki.centos.org/HowTos/SELinux
some looking around and some testing, you discover that SELinux is not THAT hard and had some great logging features (which tell you what is the problem and how to potentially solve it). For Zimbra, looking at the logs, I've found out that Zimbra logging won't work 100% when SELinux is enforcing. It is easily solvable though.
I can recommend this entry level course that explains the fundamentals:
https://app.pluralsight.com/library/cou ... f-contents
https://wiki.centos.org/HowTos/SELinux
some looking around and some testing, you discover that SELinux is not THAT hard and had some great logging features (which tell you what is the problem and how to potentially solve it). For Zimbra, looking at the logs, I've found out that Zimbra logging won't work 100% when SELinux is enforcing. It is easily solvable though.
I can recommend this entry level course that explains the fundamentals:
https://app.pluralsight.com/library/cou ... f-contents
-
- Posts: 10
- Joined: Mon Jan 23, 2017 7:44 pm
- Location: Uruguay
Re: SELinux enabled
Hello,
In my opinion generally enable Selinux is relative easy but.... to be sure everything else working after is not. And Zimbra is not the exception.
First you should enable selinux and restart the server. Depending on your filesystem it can take several minutes to selinux label every file.
Now you have the selinux auditing the zimbra processes and generating logs. Now you should reproduce all the critical situations (Restart services, send mails, access though every protocol, admin console)
In my case I found many "deny" on the logs. Based on this deny you should generate new selinux policy to enable zimbra processes to their job.
This is not easy, but there are some helpful tools. Im my case did not worked for every alert.
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
After adding the policies repeat the test and report until you don't see deny in the logs.
[root@server ~]$ sealert -a /var/log/audit/audit.log
100% done found 0 alerts in /var/log/audit/audit.log
Finally change selinux mode to enforcing.
Good Luck!
Regards,
Juan
In my opinion generally enable Selinux is relative easy but.... to be sure everything else working after is not. And Zimbra is not the exception.
First you should enable selinux and restart the server. Depending on your filesystem it can take several minutes to selinux label every file.
Now you have the selinux auditing the zimbra processes and generating logs. Now you should reproduce all the critical situations (Restart services, send mails, access though every protocol, admin console)
In my case I found many "deny" on the logs. Based on this deny you should generate new selinux policy to enable zimbra processes to their job.
This is not easy, but there are some helpful tools. Im my case did not worked for every alert.
yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log
After adding the policies repeat the test and report until you don't see deny in the logs.
[root@server ~]$ sealert -a /var/log/audit/audit.log
100% done found 0 alerts in /var/log/audit/audit.log
Finally change selinux mode to enforcing.
Good Luck!
Regards,
Juan