Bug 2142534

Summary: pypolicyd-spf causing selinux errors
Product: [Fedora] Fedora EPEL Reporter: Herald van der Breggen <fedora>
Component: pypolicyd-spfAssignee: Bojan Smojver <bojan>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel8CC: bojan, bstinson, cstratak, jwboyer, vascom2
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: pypolicyd-spf-2.9.3-4.fc35 pypolicyd-spf-2.9.3-4.fc37 pypolicyd-spf-2.9.3-4.el8 pypolicyd-spf-2.9.3-4.fc36 pypolicyd-spf-2.9.3-4.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-26 00:46:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Herald van der Breggen 2022-11-14 11:16:16 UTC 
Description of problem:
After updating the pypolicyd-spf package by this one
 
pypolicyd-spf / noarch / 2.9.3-1.el8 / epel / 73 k

the mail server was not able to receive mail.

Errors:
SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: [.....]

and

"Recipient address rejected: Server configuration problem; "

For now I removed the spf check from the postfix configuration.

Version-Release number of selected component (if applicable):


How reproducible:
configure postfix to use spf and watch incoming mail.


Steps to Reproduce:
1. configure postfix with spf as described in https://www.linuxbabe.com/redhat/set-up-spf-dkim-postfix-centos

2.update to 2.9.3-1.el8
3.

Actual results:
mail server not able to receive mail

Expected results:


Additional info:
a working mail server
Comment 1 Miro HronĨok 2022-11-14 11:45:45 UTC 
I'm going to assume this needs to be fixed in pypolicyd-spf. Let us know if you think something is actually broken in Python.
Comment 2 Bojan Smojver 2022-11-14 11:57:53 UTC 
Can you attach relevant parts of audit log after running in permissive mode?
Comment 3 Herald van der Breggen 2022-11-14 12:17:15 UTC 
After sending a test-email from google to my mail server:

Nov 14 13:12:45 vps2 postfix/smtpd[4494]: connect from mail-pf1-f181.google.com[209.85.210.181]
Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING
Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING
Nov 14 13:12:46 vps2 spamass-milter[925]: Could not retrieve sendmail macro "i"!.  Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results
Nov 14 13:12:47 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1
Nov 14 13:12:47 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Nov 14 13:12:48 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: problem talking to server private/policyd-spf: Connection reset by peer
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: NOQUEUE: reject: RCPT from mail-pf1-f181.google.com[209.85.210.181]: 451 4.3.5 <herald>: Recipient address rejected: Server configuration problem; from=<heraldvander> to=<herald> proto=ESMTP helo=<mail-pf1-f181.google.com>
Comment 4 Herald van der Breggen 2022-11-14 12:26:20 UTC 
this was of course the mail log, not the audit log.

journalctl shows:

nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: sealert -l a197564e-2191-40e3-82cd-daf029c0a>
nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig.
                                           
                                           *****  Plugin catchall (100. confidence) suggests   **************************
                                           
                                           If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default.
                                           Then you should report this as a bug.
                                           You can generate a local policy module to allow this access.
                                           Do
                                           allow this access for now by executing:
                                           # ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf
                                           # semodule -X 300 -i my-policydspf.pp


sealert shows:
    [root@vps2 audit]# sealert -l a197564e-2191-40e3-82cd-daf029c0ad62
SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf
# semodule -X 300 -i my-policydspf.pp


Additional Information:
Source Context                system_u:system_r:postfix_master_t:s0
Target Context                system_u:object_r:ldconfig_exec_t:s0
Target Objects                /usr/sbin/ldconfig [ file ]
Source                        policyd-spf
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          vps2
Source RPM Packages           glibc-2.28-216.el8.x86_64
Target RPM Packages           glibc-2.28-216.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-110.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-110.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     vps2
Platform                      Linux vps2 4.18.0-408.el8.x86_64 #1 SMP Mon Jul 18
                              17:42:52 UTC 2022 x86_64 x86_64
Alert Count                   38
First Seen                    2022-11-14 11:41:34 CET
Last Seen                     2022-11-14 13:14:55 CET
Local ID                      a197564e-2191-40e3-82cd-daf029c0ad62

Raw Audit Messages
type=AVC msg=audit(1668428095.984:289): avc:  denied  { execute_no_trans } for  pid=4600 comm="policyd-spf" path="/usr/sbin/ldconfig" dev="vda2" ino=4092757 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1668428095.984:289): arch=x86_64 syscall=execve success=yes exit=0 a0=7fd256054420 a1=7fd25602a078 a2=7fd25602ae10 a3=18 items=0 ppid=4599 pid=4600 auid=4294967295 uid=975 gid=970 euid=975 suid=975 fsuid=975 egid=970 sgid=970 fsgid=970 tty=(none) ses=4294967295 comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:postfix_master_t:s0 key=(null)

Hash: policyd-spf,postfix_master_t,ldconfig_exec_t,file,execute_no_trans
                                   
But anyway, it looks like the selinux errors (that are logged in high volume) are not the cause for not receiving email anymore. So I needed to disable spf-checking again.
Comment 5 Bojan Smojver 2022-11-14 12:29:03 UTC 
Please test the build from koji, referenced in -2 that I submitted for testing a short time ago. A dependency was missed in -1 and you may be hitting that too.
Comment 6 Herald van der Breggen 2022-11-14 12:39:39 UTC 
Yes, pypolicyd-spf-2.9.3-2.el8 from Koji works! 
Thanks a lot!
Comment 7 Fedora Update System 2022-11-14 12:50:09 UTC 
FEDORA-EPEL-2022-f566a6d7b9 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9
Comment 8 Fedora Update System 2022-11-15 03:10:07 UTC 
FEDORA-EPEL-2022-f566a6d7b9 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2022-11-16 03:06:31 UTC 
FEDORA-EPEL-2022-f566a6d7b9 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-11-17 03:21:59 UTC 
FEDORA-EPEL-2022-a969761527 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527
Comment 11 Fedora Update System 2022-11-17 03:22:16 UTC 
FEDORA-2022-ffbe9dc2a1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1
Comment 12 Fedora Update System 2022-11-17 03:22:16 UTC 
FEDORA-2022-bf48bba014 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014
Comment 13 Fedora Update System 2022-11-17 03:26:43 UTC 
FEDORA-2022-6c3bcb04d7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7
Comment 14 Fedora Update System 2022-11-17 03:27:46 UTC 
FEDORA-EPEL-2022-cae1f70fce has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce
Comment 15 Fedora Update System 2022-11-18 01:22:08 UTC 
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bf48bba014`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2022-11-18 01:57:23 UTC 
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-ffbe9dc2a1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 17 Fedora Update System 2022-11-18 02:22:58 UTC 
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 18 Fedora Update System 2022-11-18 02:30:31 UTC 
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 19 Fedora Update System 2022-11-18 02:44:37 UTC 
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-6c3bcb04d7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 20 Fedora Update System 2022-11-26 00:46:07 UTC 
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 21 Fedora Update System 2022-11-26 02:11:48 UTC 
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 22 Fedora Update System 2022-11-26 02:24:06 UTC 
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 23 Fedora Update System 2022-11-26 02:41:41 UTC 
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 24 Fedora Update System 2022-12-23 00:36:31 UTC 
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.