Description of problem: nov. 23 19:01:25 blackbird postfix/master[1987]: terminating on signal 15 nov. 23 19:01:25 blackbird aliasesdb[722]: /usr/libexec/postfix/aliasesdb: ligne 13: /usr/bin/newaliases: Aucun fichier ou dossier de ce type nov. 23 19:01:26 blackbird postfix/postfix-script[800]: starting the Postfix mail system nov. 23 19:01:26 blackbird postfix/master[802]: daemon started -- version 2.11.3, configuration /etc/postfix blackbird ~ # rpm -V postfix blackbird ~ # rpm -ql postfix|grep newaliases /usr/bin/newaliases /usr/bin/newaliases.postfix /usr/share/man/man1/newaliases.1.gz /usr/share/man/man1/newaliases.postfix.1.gz blackbird ~ # which newaliases /usr/bin/which: no newaliases in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin) blackbird ~ # ll /usr/bin/newaliases ls: impossible d'accéder à /usr/bin/newaliases: Aucun fichier ou dossier de ce type blackbird ~ # rpm -q postfix postfix-2.11.3-1.fc21.x86_64 blackbird ~ # Version-Release number of selected component (if applicable): postfix-2.11.3-1.fc21.x86_64 How reproducible: always Steps to Reproduce: 1. install f21 beta workstation from live iso 2. install postfix 3. start postfix Actual results: postfix il unable to create automaticaly /etc/aliases.db, admin must run postalias command manually to generate this file. Expected results: Additional info:
It seems to be selinux, reproducer: boot f21 beta workstation live iso # dnf install postfix # newaliases edit /etc/aliases # systemctl restart postfix The newaliases command creates /etc/aliases.db with wrong label and postfix preinit script cannot rewrite it later: localhost setroubleshoot[2717]: SELinux is preventing postalias from write access on the file al iases.db. For complete SELinux messages. run sealert -l 23f6f855-478e-45e5-b85e-95024d86f04c Nov 24 06:54:09 localhost python[2717]: SELinux is preventing postalias from write access on the file aliases.db . ***** Plugin catchall_labels (83.8 confidence) suggests ************* ****** If you want to allow postalias to have write access on the aliases.db fi le Then you need to change the label on aliases.db Do # semanage fcontext -a -t FILE_TYPE 'aliases.db' where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, etc_aliases_t, initrc_tmp_t, mailman_data_t, postfix_data_t, postfix_etc_t, postfix_private_t, postfix_prng_t, postfix_spool_flush_t, postfix_spool_t, postfix_var_run_t, puppet_tmp_t, user_cron_spool_t. Then execute: restorecon -v 'aliases.db'
Could you attach avc?
(In reply to Lukas Vrabec from comment #2) > Could you attach avc? type=AVC msg=audit(1416838370.639:450): avc: denied { write } for pid=2500 comm="postalias" name="aliases.db" dev="dm-0" ino=329927 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
The problem: /etc/aliases.db is created with unconfined_u:object_r:etc_t:s0 label by newaliases command. It should be: unconfined_u:object_r:etc_aliases_t:s0 label
Could you attach output of: $ rpm -q selinux-policy $ matchpathcon /etc/aliases.db
$ rpm -q selinux-policy selinux-policy-3.13.1-91.fc21.noarch $ matchpathcon /etc/aliases.db /etc/aliases.db system_u:object_r:etc_aliases_t:s0 But: # rm -f /etc/aliases.db # newaliases # ls -Z /etc/aliases.db -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/aliases.db
restorecon -R -v /etc/aliases*
I am no longer able to reproduce the problem using reproducer from comment 6.
(In reply to Jaroslav Škarvada from comment #8) > I am no longer able to reproduce the problem using reproducer from comment 6. Sorry, it is still reproducible with postfix.
(In reply to Daniel Walsh from comment #7) > restorecon -R -v /etc/aliases* This fix the resulting label, but the problem is still reproducible with reproducer from comment 6.
It works correctly with sendmail, in this case the aliases.db is written by: /usr/sbin/sendmail.sendmail It doesn't work with postfix, in this case the aliases.db is written by: /usr/sbin/sendmail.postfix Both are targets for newaliases symlink which is managed by alternatives system.
What is the file executable that /usr/sbin/sendmail.postfix points at? ls -Z SENDMAIL.POSTFIXAPP
(In reply to Daniel Walsh from comment #12) > What is the file executable that /usr/sbin/sendmail.postfix points at? > > ls -Z SENDMAIL.POSTFIXAPP # ls -Z /usr/sbin/sendmail.postfix -rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix Full link chain: /usr/bin/newaliases -> /etc/alternatives/mta-newaliases -> /usr/bin/newaliases.postfix -> ../../usr/sbin/sendmail.postfix
I wonder if sendmail.postfix creates a temporary file which we do not have filetrans rules for.
(In reply to Daniel Walsh from comment #14) > I wonder if sendmail.postfix creates a temporary file which we do not have > filetrans rules for. Yes, this seems to be the problem: open("/etc/__db.aliases.db", O_RDWR|O_CREAT|O_EXCL, 0644) ... rename("/etc/__db.aliases.db", "/etc/aliases.db")
It relies on libdb, which uses the above construct, so it wasn't apparent in the postfix code.
5285540d198dc1505969f6ff9ba9cab9a7825d2d fixes this in git.
commit 04a09f2802c570a82d164cf941b9c9c08dfbdf7c Author: Dan Walsh <dwalsh> Date: Mon Jan 5 15:07:33 2015 -0500 Make sure __db.aliases.db gets created with the correct label, for use with sendmail.postfix
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21
Package selinux-policy-3.13.1-105.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.