Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#781776: selinux-policy-default: postfix does not start when SELinux is set to enforcing
104 views
Skip to first unread message
Andreas Florath
Apr 2, 2015, 4:50:03 PM4/2/15
to
Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: normal
Dear Maintainer,
postfix does not start when SELinux is set to enforcing:
root@debian8gi:~# se_apt-get install postfix
[...]
root@debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file pid/master.pid: cannot create file exclusively: Permission denied
The following AVC is logged:
type=AVC msg=audit(1427973050.472:88): avc: denied { net_admin } for pid=2144 comm="systemd-tty-ask" capability=12 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability permissive=0
It looks that the appropriate directory was not correctly labled by default:
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr 2 13:07 /var/spool/postfix/pid/
root@debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr 2 13:07 /var/spool/postfix/pid/
Nevertheless: even after this adaption the process still not starts up:
root@debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup: Permission denied
The AVC:
type=AVC msg=audit(1427976832.296:134): avc: denied { create } for pid=3568 comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0
Therefore it looks that a more general restorecon is needed:
root@debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_private_t:s0
restorecon reset /var/spool/postfix/saved context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/incoming context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/bounce context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_bounce_t:s0
After this it is possible to start postfix.
Kind regards
Andre
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 2:2.20140421-9
Severity: normal
Dear Maintainer,
postfix does not start when SELinux is set to enforcing:
root@debian8gi:~# se_apt-get install postfix
[...]
root@debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file pid/master.pid: cannot create file exclusively: Permission denied
The following AVC is logged:
type=AVC msg=audit(1427973050.472:88): avc: denied { net_admin } for pid=2144 comm="systemd-tty-ask" capability=12 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability permissive=0
It looks that the appropriate directory was not correctly labled by default:
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr 2 13:07 /var/spool/postfix/pid/
root@debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr 2 13:07 /var/spool/postfix/pid/
Nevertheless: even after this adaption the process still not starts up:
root@debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup: Permission denied
The AVC:
type=AVC msg=audit(1427976832.296:134): avc: denied { create } for pid=3568 comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0
Therefore it looks that a more general restorecon is needed:
root@debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_private_t:s0
restorecon reset /var/spool/postfix/saved context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/incoming context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/bounce context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_bounce_t:s0
After this it is possible to start postfix.
Kind regards
Andre
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Russell Coker
Jul 30, 2023, 12:20:05 AM7/30/23
to
tags 781776 +patch
thanks
The current problem with Postfix regarding SE Linux is that the main spool
directory has the wrong permissions. One way of solving this is using the
install command. The following applies the default SE Linux security context
when SE Linux is activated and silently disregards the -Z option if SE Linux
isn't activated.
--- p/postfix.preinst 2023-07-30 13:55:22.161192358 +1000
+++ p2/postfix.preinst 2023-07-30 13:55:49.274208973 +1000
@@ -16,7 +16,7 @@
MASTER=/etc/postfix/master.cf
-(umask 022; mkdir -p /var/spool/postfix)
+install -dZ -m 755 /var/spool/postfix
case "$1" in
install)
The following is another way of doing it that is a better match for the style
of shell scripting used for Postfix. The -Z option to mkdir is used in the
postinst.
--- p/postfix.preinst 2023-07-30 13:55:22.161192358 +1000
+++ p2/postfix.preinst 2023-07-30 14:02:15.295245090 +1000
@@ -16,7 +16,7 @@
MASTER=/etc/postfix/master.cf
-(umask 022; mkdir -p /var/spool/postfix)
+mkdir -Zp -m755 /var/spool/postfix
case "$1" in
install)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
thanks
The current problem with Postfix regarding SE Linux is that the main spool
directory has the wrong permissions. One way of solving this is using the
install command. The following applies the default SE Linux security context
when SE Linux is activated and silently disregards the -Z option if SE Linux
isn't activated.
--- p/postfix.preinst 2023-07-30 13:55:22.161192358 +1000
+++ p2/postfix.preinst 2023-07-30 13:55:49.274208973 +1000
@@ -16,7 +16,7 @@
MASTER=/etc/postfix/master.cf
-(umask 022; mkdir -p /var/spool/postfix)
+install -dZ -m 755 /var/spool/postfix
case "$1" in
install)
The following is another way of doing it that is a better match for the style
of shell scripting used for Postfix. The -Z option to mkdir is used in the
postinst.
--- p/postfix.preinst 2023-07-30 13:55:22.161192358 +1000
+++ p2/postfix.preinst 2023-07-30 14:02:15.295245090 +1000
@@ -16,7 +16,7 @@
MASTER=/etc/postfix/master.cf
-(umask 022; mkdir -p /var/spool/postfix)
+mkdir -Zp -m755 /var/spool/postfix
case "$1" in
install)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
0 new messages