Bug 1983308

Summary: SELinux Blocking Postfix+PostgreSQL
Product: Red Hat Enterprise Linux 8 Reporter: Joseph D. Wagner <joe>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, pkoncity, plautrba, zpytela
Target Milestone: betaKeywords: Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-112.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:03:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2022-08-16   

Description Joseph D. Wagner 2021-07-17 14:23:35 UTC 
Description of problem:
SELinux blocks Postfix from reading pgsql config files.
* This error does not occur when SELINUX=permissive
* This error does not appear in Fedora Rawhide using the same configuration.

/var/log/maillog
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: error: open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf is unavailable. open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf lookup error for "${email}"
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: table virtual_mailbox_maps: lookup ${email}: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: 7690E200C9: to=<${email}>, relay=virtual, delay=9530, delays=9529/0.47/0/0.05, dsn=4.3.5, status=deferred (mail system configuration error)

/var/log/audit/audit.log
type=AVC msg=audit(1626517839.448:51822): avc:  denied  { search } for  pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1626517839.450:51823): avc:  denied  { search } for  pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1626520184.708:52371): avc:  denied  { search } for  pid=37326 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626520793.428:106): avc:  denied  { search } for  pid=2019 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626520938.846:201): avc:  denied  { search } for  pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626521009.136:202): avc:  denied  { search } for  pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1

/etc/postfix/main.cf
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:985
virtual_gid_maps = static:981

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-72.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. useradd -r --comment "Virtual Maildir" -m -s /sbin/nologin vmail
2. postgresql-setup --initdb
3. systemctl start postgresql.service
4. su - postgres
5. psql -U postgres
6. CREATE USER vmailuser;
7. CREATE DATABASE vmaildb WITH OWNER vmailuser;
8. \q
9. psql -d vmaildb -U vmailuser
10. CREATE TABLE vdomains ( domainid int not null generated always as identity, domainname varchar(255) not null, constraint vdomains_pk primary key (domainid), constraint vdomains_domainname_unq unique(domainname) );
11. CREATE TABLE vmailboxes (mailboxid int not null generated always as identity, domainid int not null, username varchar(64) not null, password varchar(128) not null, constraint vmailboxes_pk primary key (mailboxid), constraint vmailboxes_username_domainid_unq unique(username, domainid), foreign key (domainid) references vdomains(domainid) on delete cascade );
12. Insert a few rows to both tables for subsequent testing.
13. \q
14. Create the virtual_mailbox_*.cf files.
15. Add the above virtual* lines to main.cf, but be sure to update uid/gid maps.
16. Restart postfix.
17. Sent a test email to a mailbox in one of the virtual domains.
18. See the error message.

Actual results:
mail stuck in queue

Expected results:
mail delivered to maildir

Additional info:

# sealert -a /var/log/audit/audit.log
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory krb5.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that smtpd should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
# semodule -X 300 -i my-smtpd.pp


Additional Information:
Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:krb5_keytab_t:s0
Target Objects                krb5 [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           postfix-3.5.8-1.el8.x86_64
Target RPM Packages          
SELinux Policy RPM            selinux-policy-targeted-3.14.3-72.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-72.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ${domain}
Platform                      Linux ${domain} 4.18.0-315.el8.x86_64 #1
                              SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64
Alert Count                   4
First Seen                    2021-07-17 10:30:39 UTC
Last Seen                     2021-07-17 11:22:18 UTC
Local ID                      e97c8994-d334-4f7c-aa2c-852b241e859b

Raw Audit Messages
type=AVC msg=audit(1626520938.846:201): avc:  denied  { search } for  pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1626520938.846:201): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=56075597d520 a2=0 a3=0 items=0 ppid=2011 pid=2092 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=postfix GID=postfix EUID=postfix SUID=postfix FSUID=postfix EGID=postfix SGID=postfix FSGID=postfix

Hash: smtpd,postfix_smtpd_t,krb5_keytab_t,dir,search

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/postfix/virtual from search access on the directory krb5.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that virtual should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'virtual' --raw | audit2allow -M my-virtual
# semodule -X 300 -i my-virtual.pp


Additional Information:
Source Context                system_u:system_r:postfix_virtual_t:s0
Target Context                system_u:object_r:krb5_keytab_t:s0
Target Objects                krb5 [ dir ]
Source                        virtual
Source Path                   /usr/libexec/postfix/virtual
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           postfix-3.5.8-1.el8.x86_64
Target RPM Packages          
SELinux Policy RPM            selinux-policy-targeted-3.14.3-72.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-72.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ${domain}
Platform                      Linux ${domain} 4.18.0-315.el8.x86_64 #1
                              SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-07-17 11:19:53 UTC
Last Seen                     2021-07-17 11:23:29 UTC
Local ID                      207512af-fafa-4ad5-a519-8b9e73641f61

Raw Audit Messages
type=AVC msg=audit(1626521009.136:202): avc:  denied  { search } for  pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1626521009.136:202): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=5636a25b0b10 a2=0 a3=0 items=0 ppid=2011 pid=2130 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=virtual exe=/usr/libexec/postfix/virtual subj=system_u:system_r:postfix_virtual_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=postfix SUID=root FSUID=postfix EGID=postfix SGID=root FSGID=postfix

Hash: virtual,postfix_virtual_t,krb5_keytab_t,dir,search
Comment 1 Patrik Koncity 2022-01-26 15:50:47 UTC 
Hi Joseph,

I have a few questions. I'm stucked in reproducing this bug,


> 9. psql -d vmaildb -U vmailuser

when I try to connect vmaildb to vmailuser in database it appear only error "psql: FATAL:  Peer authentication failed for user "vmailuser"
" and I'm not to able continue in other steps. Any clue where can be a issue?


Also can you pleas show me a label of /etc/postfix/pgsql/virtual_mailbox_maps.cf ?

$ ls -Z /etc/postfix/pgsql/virtual_mailbox_maps.cf


Thanks,

Patrik
Comment 2 Joseph D. Wagner 2022-01-26 18:31:12 UTC 
1) You'll need to change the METHOD entry in /var/lib/pgsql/data/pg_hba.conf from "peer" to something like "trust", "md5", or "scram-sha-256". Be sure to setup the postgres account first (unless you go with "trust"), because postgres is the admin one.

2) -rw-r-----. 1 root postfix system_u:object_r:postfix_etc_t:s0 288 Jul 26  2021 /etc/postfix/pgsql/virtual_mailbox_maps.cf
Comment 12 Zdenek Pytela 2022-11-28 13:30:16 UTC 
This commit is needed:
commit 3dd03dad6dfc3d5b07fbd31eec2cbceabfdfd844 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Nov 25 19:11:50 2022 +0100

    Allow postfix/smtpd read kerberos key table
Comment 20 errata-xmlrpc 2023-05-16 09:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965