Bug 2247848
| Summary: | SELinux preventing Postfix from mapping LMDB databases | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rob Foehl <rwf> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 43 | CC: | dwalsh, jskarvad, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | Flags: | zpytela:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.31-1.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-05-31 08:53:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rob Foehl
2023-11-03 20:49:08 UTC
Thanks for the report. The fix was complete, but just within the range how it was reported, and no additional tests show further denials. Fair enough, then the report was incomplete -- either way, it seems the postfix-lmdb package hasn't seen much real-world use if problems like this still exist. Cc: Jaroslav -- is a similar default database type change intended for Fedora at some point? I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1953 You can try a scratchbuild attached to the PR or wait a few days until it gets to Fedora, our test did not find any issue. FEDORA-2023-aeccf7b447 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447 selinux-policy-39.3-1 avoids the initial postscreen_cache issue on Fedora 39; however, I'm not convinced that the change is complete or correct. At minimum, the change from bug 2242898 is now redundant, and should have been reverted. postfix_master_t seems like it should have been reserved for the master process alone, yet it appears that a number of ancillary processes are running in that context -- pretty much everything newer than early Postfix 2.x releases. Blame output indicates that every one of the extant transitions dates back to at least an 11 year old "Fix typos" commit, at best... Is this policy actually being maintained, or are changes just "make the AVC go away"? FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-aeccf7b447` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. This would be a fantastic time to read comment 5. This "fix" is incorrect and incomplete. (In reply to Rob Foehl from comment #2) > Fair enough, then the report was incomplete -- either way, it seems the > postfix-lmdb package hasn't seen much real-world use if problems like this > still exist. > > Cc: Jaroslav -- is a similar default database type change intended for > Fedora at some point? I would like to have the bdb as the default as long as it's the upstream default, bdb is available in Fedora and being the default is allowed by Fedora policies. I.e. I expect that at some point it will be switched. Unfortunately, I am not selinux expert. In the original selinux bug I suggested duplication of the bdb rules for the lmdb, which I though should be enough. Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. Sigh. I'll refer to comment #5 again, since this remains incorrect and incomplete. This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. As Far as I can tell the reported denials have been addressed. They have not. I will yet again refer to comment #5, and then restate it here since the repeated references are apparently not getting the point across. The changes made specifically for aliases.lmdb ARE NOT CORRECT AND MUST BE REVERTED. The change made to allow postfix_master_t processes to map files IS NOT CORRECT DUE TO MISSING PROCESS TRANSITIONS. This only "works" right now because multiple processes are running in postfix_master_t context when they shouldn't be. On an idle Fedora 43 system, just now: system_u:system_r:postfix_master_t:s0 root 56932 0.0 0.1 57664 7228 ? Ss Feb01 0:14 /usr/libexec/postfix/master -w system_u:system_r:postfix_qmgr_t:s0 postfix 125411 0.0 0.3 69116 13216 ? S Feb09 0:00 qmgr -l -t unix -u system_u:system_r:postfix_master_t:s0 postfix 125413 0.0 0.4 90008 16112 ? Ss Feb09 0:05 postscreen -l -n smtp -t inet -u -s 2 system_u:system_r:postfix_master_t:s0 postfix 125415 0.0 0.3 70520 14308 ? S Feb09 0:00 tlsmgr -l -t unix -u system_u:system_r:postfix_pickup_t:s0 postfix 156345 0.0 0.3 69072 14400 ? S 14:04 0:00 pickup -l -t unix -u system_u:system_r:postfix_smtpd_t:s0 postfix 156718 0.0 0.4 72172 19068 ? S 15:13 0:00 smtpd -t pass -u -o stress= system_u:system_r:postfix_master_t:s0 postfix 156778 0.0 0.3 68944 14324 ? S 15:24 0:00 anvil -l -t unix -u The /usr/libexec/postfix/master process is the ONLY process which should be running in postfix_master_t context. This should be profoundly self-evident, yet here we are. Again. The anvil(8) and tlsmgr(8) processes were introduced in Postfix 2.2, released some 21 years ago. postscreen(8) landed in Postfix 2.8, now 15 years ago. These between them do not even comprise a majority of the missing transitions. Stop defending this mess. |