Bug 2242898
Summary: | Please add support for the /etc/aliases.lmdb | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jaroslav Škarvada <jskarvad> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | amessina, dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-10-20 15:46:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1788480 |
Description
Jaroslav Škarvada
2023-10-09 16:30:34 UTC
How can I verify the fix is working? # rpm -qa "postfix*" postfix-3.8.2-2.fc40.x86_64 postfix-lmdb-3.8.2-2.fc40.x86_64 Is the target F38? F38 test build created with command: $ mock -r fedora-38-x86_64 --without=db ./postfix-3.8.2-2.fc40.src.rpm Build/repo avaialable at: https://jskarvad.fedorapeople.org/postfix/ Or install packages manually: # dnf install https://jskarvad.fedorapeople.org/postfix/postfix-3.8.2-2.fc38.x86_64.rpm https://jskarvad.fedorapeople.org/postfix/postfix-lmdb-3.8.2-2.fc38.x86_64.rpm Reproducer: # setenforce 0 # rm -f /etc/aliases.lmdb # systemctl restart postfix Check /var/log/audit.log for above mentioned AVCs. Or: # setenforce 1 # rm -f /etc/aliases.lmdb # systemctl restart postfix # systemctl status postfix ... Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com systemd[1]: Starting postfix.service - Postfix Mail Transport Agent... Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com aliasesdb[2131]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com postfix/postalias[2131]: fatal: open database /etc/aliases.lmdb: Permission denied ... I already had the right packages, was just looking for the change which is needed to trigger the denial and this seems to be # /usr/sbin/postconf -h alias_database lmdb:/etc/aliases Feel free to check with selinux-policy builds available at https://dashboard.packit.dev/results/copr-builds/1064528 (f38) https://dashboard.packit.dev/results/copr-builds/1064530 (f39) Thanks for the prompt response, but unfortunately it still seems not enough, new reproducer: # systemctl start postfix # useradd testuser # echo hi | sendmail testuser # journalctl ... Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: error: open database /etc/aliases.lmdb: Permission denied Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases is unavailable. open database /etc/aliases.lmdb: Permission denied Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases: lookup of 'testuser' failed Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: DF39F4020B: to=<yarda.upshift.rdu2.redhat.com>, orig_to=<testuser>, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=4.3.0, status=deferred (alias database unavailable) type=SERVICE_START msg=audit(1696945660.159:634): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1696945697.931:635): avc: denied { map } for pid=2993 comm="local" path="/etc/aliases.lmdb" dev="vda2" ino=162022 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=0 To simplify things, the /etc/aliases.lmdb needs to have the same selinux policy records as the /etc/aliases.db already had. The new filename shares the label with other similar files, but it is the denial which is different: When I reproduced it, I saw postfix/master requesting map access as a result of postfix restart, your one has postfix/local. It seems reasonable I'll now run all postfix tests we have in selinux-policy, it would help if you ran yours. Use the latest build: https://github.com/fedora-selinux/selinux-policy/pull/1899 -> show all checks I don't see any error with # rpm -qa postfix* selinux* postfix-lmdb-3.8.2-2.fc38.x86_64 postfix-3.8.2-2.fc38.x86_64 selinux-policy-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch selinux-policy-targeted-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch selinux-policy-devel-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch Thanks, all tests passed. |