Bug 1167109
Summary: | /usr/bin/newaliases: No such file or directory | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthieu Saulnier <casper> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 21 | CC: | dominick.grift, dwalsh, jskarvad, lvrabec, mgrepl, plautrba |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-105.fc21 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-30 23:54:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matthieu Saulnier
2014-11-23 18:14:06 UTC
It seems to be selinux, reproducer: boot f21 beta workstation live iso # dnf install postfix # newaliases edit /etc/aliases # systemctl restart postfix The newaliases command creates /etc/aliases.db with wrong label and postfix preinit script cannot rewrite it later: localhost setroubleshoot[2717]: SELinux is preventing postalias from write access on the file al iases.db. For complete SELinux messages. run sealert -l 23f6f855-478e-45e5-b85e-95024d86f04c Nov 24 06:54:09 localhost python[2717]: SELinux is preventing postalias from write access on the file aliases.db . ***** Plugin catchall_labels (83.8 confidence) suggests ************* ****** If you want to allow postalias to have write access on the aliases.db fi le Then you need to change the label on aliases.db Do # semanage fcontext -a -t FILE_TYPE 'aliases.db' where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, etc_aliases_t, initrc_tmp_t, mailman_data_t, postfix_data_t, postfix_etc_t, postfix_private_t, postfix_prng_t, postfix_spool_flush_t, postfix_spool_t, postfix_var_run_t, puppet_tmp_t, user_cron_spool_t. Then execute: restorecon -v 'aliases.db' Could you attach avc? (In reply to Lukas Vrabec from comment #2) > Could you attach avc? type=AVC msg=audit(1416838370.639:450): avc: denied { write } for pid=2500 comm="postalias" name="aliases.db" dev="dm-0" ino=329927 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 The problem: /etc/aliases.db is created with unconfined_u:object_r:etc_t:s0 label by newaliases command. It should be: unconfined_u:object_r:etc_aliases_t:s0 label Could you attach output of: $ rpm -q selinux-policy $ matchpathcon /etc/aliases.db $ rpm -q selinux-policy selinux-policy-3.13.1-91.fc21.noarch $ matchpathcon /etc/aliases.db /etc/aliases.db system_u:object_r:etc_aliases_t:s0 But: # rm -f /etc/aliases.db # newaliases # ls -Z /etc/aliases.db -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/aliases.db restorecon -R -v /etc/aliases* I am no longer able to reproduce the problem using reproducer from comment 6. (In reply to Jaroslav Škarvada from comment #8) > I am no longer able to reproduce the problem using reproducer from comment 6. Sorry, it is still reproducible with postfix. (In reply to Daniel Walsh from comment #7) > restorecon -R -v /etc/aliases* This fix the resulting label, but the problem is still reproducible with reproducer from comment 6. It works correctly with sendmail, in this case the aliases.db is written by: /usr/sbin/sendmail.sendmail It doesn't work with postfix, in this case the aliases.db is written by: /usr/sbin/sendmail.postfix Both are targets for newaliases symlink which is managed by alternatives system. What is the file executable that /usr/sbin/sendmail.postfix points at? ls -Z SENDMAIL.POSTFIXAPP (In reply to Daniel Walsh from comment #12) > What is the file executable that /usr/sbin/sendmail.postfix points at? > > ls -Z SENDMAIL.POSTFIXAPP # ls -Z /usr/sbin/sendmail.postfix -rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix Full link chain: /usr/bin/newaliases -> /etc/alternatives/mta-newaliases -> /usr/bin/newaliases.postfix -> ../../usr/sbin/sendmail.postfix I wonder if sendmail.postfix creates a temporary file which we do not have filetrans rules for. (In reply to Daniel Walsh from comment #14) > I wonder if sendmail.postfix creates a temporary file which we do not have > filetrans rules for. Yes, this seems to be the problem: open("/etc/__db.aliases.db", O_RDWR|O_CREAT|O_EXCL, 0644) ... rename("/etc/__db.aliases.db", "/etc/aliases.db") It relies on libdb, which uses the above construct, so it wasn't apparent in the postfix code. 5285540d198dc1505969f6ff9ba9cab9a7825d2d fixes this in git. commit 04a09f2802c570a82d164cf941b9c9c08dfbdf7c Author: Dan Walsh <dwalsh> Date: Mon Jan 5 15:07:33 2015 -0500 Make sure __db.aliases.db gets created with the correct label, for use with sendmail.postfix selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21 Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback). selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. |