Bug 1167109
| Summary: | /usr/bin/newaliases: No such file or directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matthieu Saulnier <msaulnier> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | dominick.grift, dwalsh, jskarvad, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-30 23:54:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matthieu Saulnier
2014-11-23 18:14:06 UTC
It seems to be selinux, reproducer:
boot f21 beta workstation live iso
# dnf install postfix
# newaliases
edit /etc/aliases
# systemctl restart postfix
The newaliases command creates /etc/aliases.db with wrong label and postfix preinit script cannot rewrite it later:
localhost setroubleshoot[2717]: SELinux is preventing postalias from write access on the file al
iases.db. For complete SELinux messages. run sealert -l 23f6f855-478e-45e5-b85e-95024d86f04c
Nov 24 06:54:09 localhost python[2717]: SELinux is preventing postalias from write access on the file aliases.db
.
***** Plugin catchall_labels (83.8 confidence) suggests *************
******
If you want to allow postalias to have write access on the aliases.db fi
le
Then you need to change the label on aliases.db
Do
# semanage fcontext -a -t FILE_TYPE 'aliases.db'
where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, etc_aliases_t, initrc_tmp_t, mailman_data_t, postfix_data_t, postfix_etc_t, postfix_private_t, postfix_prng_t, postfix_spool_flush_t, postfix_spool_t, postfix_var_run_t, puppet_tmp_t, user_cron_spool_t.
Then execute:
restorecon -v 'aliases.db'
Could you attach avc? (In reply to Lukas Vrabec from comment #2) > Could you attach avc? type=AVC msg=audit(1416838370.639:450): avc: denied { write } for pid=2500 comm="postalias" name="aliases.db" dev="dm-0" ino=329927 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 The problem: /etc/aliases.db is created with unconfined_u:object_r:etc_t:s0 label by newaliases command. It should be: unconfined_u:object_r:etc_aliases_t:s0 label Could you attach output of: $ rpm -q selinux-policy $ matchpathcon /etc/aliases.db $ rpm -q selinux-policy selinux-policy-3.13.1-91.fc21.noarch $ matchpathcon /etc/aliases.db /etc/aliases.db system_u:object_r:etc_aliases_t:s0 But: # rm -f /etc/aliases.db # newaliases # ls -Z /etc/aliases.db -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/aliases.db restorecon -R -v /etc/aliases* I am no longer able to reproduce the problem using reproducer from comment 6. (In reply to Jaroslav Škarvada from comment #8) > I am no longer able to reproduce the problem using reproducer from comment 6. Sorry, it is still reproducible with postfix. (In reply to Daniel Walsh from comment #7) > restorecon -R -v /etc/aliases* This fix the resulting label, but the problem is still reproducible with reproducer from comment 6. It works correctly with sendmail, in this case the aliases.db is written by: /usr/sbin/sendmail.sendmail It doesn't work with postfix, in this case the aliases.db is written by: /usr/sbin/sendmail.postfix Both are targets for newaliases symlink which is managed by alternatives system. What is the file executable that /usr/sbin/sendmail.postfix points at? ls -Z SENDMAIL.POSTFIXAPP (In reply to Daniel Walsh from comment #12) > What is the file executable that /usr/sbin/sendmail.postfix points at? > > ls -Z SENDMAIL.POSTFIXAPP # ls -Z /usr/sbin/sendmail.postfix -rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix Full link chain: /usr/bin/newaliases -> /etc/alternatives/mta-newaliases -> /usr/bin/newaliases.postfix -> ../../usr/sbin/sendmail.postfix I wonder if sendmail.postfix creates a temporary file which we do not have filetrans rules for. (In reply to Daniel Walsh from comment #14) > I wonder if sendmail.postfix creates a temporary file which we do not have > filetrans rules for. Yes, this seems to be the problem: open("/etc/__db.aliases.db", O_RDWR|O_CREAT|O_EXCL, 0644) ... rename("/etc/__db.aliases.db", "/etc/aliases.db") It relies on libdb, which uses the above construct, so it wasn't apparent in the postfix code. 5285540d198dc1505969f6ff9ba9cab9a7825d2d fixes this in git. commit 04a09f2802c570a82d164cf941b9c9c08dfbdf7c
Author: Dan Walsh <dwalsh>
Date: Mon Jan 5 15:07:33 2015 -0500
Make sure __db.aliases.db gets created with the correct label, for use with sendmail.postfix
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |