Bug 553492
Summary: | New selinux packages broke Postfix | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kevin Lisciotti <klisciotti> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | high | Docs Contact: | ||
Priority: | low | |||
Version: | 5.4 | CC: | aleksey, andri, bugzilla.redhat, bugzilla, charles, dimi, dkovalsk, dwalsh, ernest.beinrohr, fonya, jorge.fabregas, klisciotti, mailings, mmalik, pasteur, pb, plyons, psplicha, redhat-bugzilla, rhel, rjcroasdale, robert.scheck, thiagocsf, tis | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 555778 (view as bug list) | Environment: | ||
Last Closed: | 2010-03-30 07:50:55 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 555778, 555793 |
Description
Kevin Lisciotti
2010-01-08 01:51:12 UTC
This is a regression in 5.4, Will be fixed in 5.5. Here is a work around. Create a file called mypostfix.te with the following content. =================================cut ========================================= policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl }; ============================================================================= # make -f /usr/share/selinux/devel/Makefile # semodule -i mypostfix.pp Thanks for the workaround, by my make is failing. Is my cut and paste wrong? [root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te /usr/share/selinux/devel/mypostfix.te:1: *** missing separator. Stop. [root@serrano devel]# cat mypostfix.te policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl }; (In reply to comment #2) > Thanks for the workaround, by my make is failing. Is my cut and paste wrong? > > [root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te This is a mistake. Should be: # make -f /usr/share/selinux/devel/Makefile # semodule -i mypostfix.pp > /usr/share/selinux/devel/mypostfix.te:1: *** missing separator. Stop. > [root@serrano devel]# cat mypostfix.te > policy_module(mypostfix, 1.0) > > gen_require(` > type sendmail_t; > ') > > allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write > ioctl }; Kevin, also please use the following mypostfix.te file. # cat mypostfix.te policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; type postfix_postdrop_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl }; Thank you very much Miroslav, that worked perfectly. I never had to do something like this before, so I just learned something :) Anyway, Postfix will now send mail with selinux in enforcing mode. Thanks again for the quick reply and help, it's much appreciated! *** Bug 553277 has been marked as a duplicate of this bug. *** This bug is really annoying, it breaks logwatch sending e-mails on all postfix driven systems with SELinux in enforced mode. Can one increase the priority, I would expect that Red Hat releases an updated SELinux definition shortly to fix this issue. is'd rather install a testing selinux packages then always modify local policies. is daniel's testing selinux repo contains this fixes? Not yet, I will post as soon as it is built. Fixed in selinux-policy-2.4.6-269.el5 Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL5/ I just did an semodule -r mypostfix (from the above workaround) and installed the updated selinux packages from Dan's link above. I can confirm that this has fixed the issue with postfix sending mail with selinux in enforcing mode. Thanks to Dan and Mirosloav, hope to see these packages in the yum update soon ;) Thanks Daniel for putting these rpms on your site. I confirm that postfix is working back again on all my servers. I confirm the fix. Please put the updated policy rpm in the updates repo asap :-) (In reply to comment #1) > This is a regression in 5.4, Will be fixed in 5.5. Waiting until EL5.5 for a fix is unacceptable. EL5.4 shipped with a working SELinux and postfix (selinux-policy-2.4.6-255). The first errata EL5.4 (selinux-policy-2.4.6-255.el5_4.1) did not break postfix. This errata breaks postfix and my significantly large installation. Please back out the change or provide an updated errata. *** Bug 556666 has been marked as a duplicate of this bug. *** This _cannot_ wait until EL 5.5. I've just discovered a number of RHEL installations here which suddenly cannot send mails. This is a very nasty problem, and it needs an _urgent_ fix. Yes, the problem was fixed in selinux-policy-2.4.6-255.el5_4.4. Look at #555793 bug. Thank you for the quick errata turnaround. Are there instructions for removing the workaround? Execute: # semodule -r mypostfix It will remove mypostfix local module. *** Bug 557783 has been marked as a duplicate of this bug. *** I've applied erratum CLA-2010:0063 which supposedly fixes this bug bit I still received the error: mail tfigueiro.com -s 'TeamSite upgrade' asd . Cc: send-mail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name send-mail: fatal: thiago(500): unable to execute /usr/sbin/postdrop -r: Success I've installed the mypostfix workaround and it fixed the issue. Thiago, would it be possible to try to remove the mypostfix workaround and then execute # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket and # rpm -qa selinux-policy\* What are your outputs? Miroslav, forget my comment#26. Satellite and RPM played a dirty trick on me and I still had selinux-policy-2.4.6-255.el5_4.3: # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket # rpm -qa selinux-policy\* selinux-policy-2.4.6-255.el5_4.3 selinux-policy-targeted-2.4.6-255.el5_4.3 selinux-policy-devel-2.4.6-255.el5_4.3 I've updated (again!) to selinux-policy-2.4.6-255.el5_4.4 and it now works: # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket Found 1 av rules: allow postfix_postdrop_t sendmail_t : unix_stream_socket { ioctl read write getattr }; # sendmail -f tfigueiro.com tfigueiro.com test . # Thank you for your quick reply and apologies for wasting your time. Thiago. Ok, no problem. this just happened to me in fedora when updated Mar 10 05:34:54 Updated: selinux-policy-3.3.1-135.fc9.noarch Mar 10 05:35:17 Updated: selinux-policy-targeted-3.3.1-135.fc9.noarch postfix cant send mail with selinux on; trying to implement the fix but getting error; make -f mypostfix.te mypostfix.te:1: *** missing separator. Stop. bump: fedora please update so i can just do "yum update" this code stuff is baffling me! :0 oops; [code]policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; type postfix_postdrop_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };[/code] Installed: selinux-policy-devel.noarch 0:3.3.1-135.fc9 and now make works make -f /usr/share/selinux/devel/Makefile Compiling targeted mypostfix module /usr/bin/checkmodule: loading policy configuration from tmp/mypostfix.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 8) to tmp/mypostfix.mod Creating targeted mypostfix.pp policy package rm tmp/mypostfix.mod.fc tmp/mypostfix.mod [root@HOSTNAME ~]# semodule -i mypostfix.pp [root@HOSTNAME ~]# but still have the problem on fedora, even after the above is done, postfix will not send mail with selinux on. have these messages in maillog and message Mar 12 06:03:52 HOSTNAME postfix/cleanup[7581]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: process /usr/libexec/postfix/cleanup pid 7581 exit status 1 Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling] Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232533): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232534): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232535): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232536): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.568:232537): avc: denied { read write } for pid=7581 comm="cleanup" name="unix.cleanup" dev=sda1 ino=8306741 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file hope this helps fix the bug in fedora Please update to a supported version Fedora 11, 12 or 13. We do not support 9 any longer. Hi Daniel, I've installed the audit daemon (was previously just using the messages log) Now have errors found in this bug, are these two bugs the same thing? If so do you need to mark them as a duplicate? https://bugzilla.redhat.com/show_bug.cgi?id=448333 (avc: denied { write } for pid=16292 comm="sendmail" and connectto) Regards, Robert. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html *** Bug 555349 has been marked as a duplicate of this bug. *** |