SELinux enabled

hbatelaan · Post by **hbatelaan** » Wed Jun 07, 2017 5:57 pm

Hi all,

Is it possible to have SELinux enabled on a machine with a Zimbra installation? If so, how?

I'm running CentOS 7 with Zimbra 8.7.10 GA.

Thanks and regards,
Henk

hbatelaan · Post by **hbatelaan** » Mon Jun 12, 2017 7:32 am

Any feedback is greatly appreciated.

DualBoot · Post by **DualBoot** » Mon Jul 10, 2017 8:44 pm

Yes you can and SElinux is enabled by default.

hbatelaan · Post by **hbatelaan** » Mon Jul 31, 2017 12:37 pm

Hi! Thank you for your feedback. All walkthroughs I've found, a couple of months ago, said to disable SELinux. Both Linux and Zimbra were new to me at the time, so I just followed the walkthroughs and disabled SELinux. You are saying it can be enabled? I can just enable SELinux without any problems?

hbatelaan · Post by **hbatelaan** » Tue Aug 01, 2017 9:01 am

Enabled SELinux, rebooted, checked that SELInux is enforcing, checked Zimbra services, checked mailflows, webmail, website, etc. All seems to be working. Thanks.

DualBoot · Post by **DualBoot** » Tue Aug 01, 2017 4:47 pm

Zimbra advise about disabling SELinux, but for me I always let the default SELinux configuration.
Regards,

iodisciple · Post by **iodisciple** » Thu Oct 26, 2017 2:09 pm

I've discovered that a lot of people don't get SELinux and therefore disable it. This is not only concerning Zimbra, but a lot of stuff. When you do some reading though like here:
https://wiki.centos.org/HowTos/SELinux

some looking around and some testing, you discover that SELinux is not THAT hard and had some great logging features (which tell you what is the problem and how to potentially solve it). For Zimbra, looking at the logs, I've found out that Zimbra logging won't work 100% when SELinux is enforcing. It is easily solvable though.

I can recommend this entry level course that explains the fundamentals:
https://app.pluralsight.com/library/cou ... f-contents

juan_urtiaga · Post by **juan_urtiaga** » Thu Aug 22, 2019 4:08 pm

Hello,

In my opinion generally enable Selinux is relative easy but.... to be sure everything else working after is not. And Zimbra is not the exception.

First you should enable selinux and restart the server. Depending on your filesystem it can take several minutes to selinux label every file.
Now you have the selinux auditing the zimbra processes and generating logs. Now you should reproduce all the critical situations (Restart services, send mails, access though every protocol, admin console)

In my case I found many "deny" on the logs. Based on this deny you should generate new selinux policy to enable zimbra processes to their job.
This is not easy, but there are some helpful tools. Im my case did not worked for every alert.

yum install setroubleshoot setools
sealert -a /var/log/audit/audit.log

After adding the policies repeat the test and report until you don't see deny in the logs.

[root@server ~]$ sealert -a /var/log/audit/audit.log
100% done found 0 alerts in /var/log/audit/audit.log

Finally change selinux mode to enforcing.

Good Luck!
Regards,
Juan

Zimbra Forums

SELinux enabled

SELinux enabled

Re: SELinux enabled

Re: SELinux enabled

Re: SELinux enabled

Re: SELinux enabled

Re: SELinux enabled

Re: SELinux enabled

Re: SELinux enabled