Bug 1167109 - /usr/bin/newaliases: No such file or directory
Summary: /usr/bin/newaliases: No such file or directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-23 18:14 UTC by Matthieu Saulnier
Modified: 2015-01-30 23:54 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-30 23:54:29 UTC
Type: Bug


Attachments (Terms of Use)

Description Matthieu Saulnier 2014-11-23 18:14:06 UTC
Description of problem:


nov. 23 19:01:25 blackbird postfix/master[1987]: terminating on signal 15
nov. 23 19:01:25 blackbird aliasesdb[722]: /usr/libexec/postfix/aliasesdb: ligne 13: /usr/bin/newaliases: Aucun fichier ou dossier de ce type
nov. 23 19:01:26 blackbird postfix/postfix-script[800]: starting the Postfix mail system
nov. 23 19:01:26 blackbird postfix/master[802]: daemon started -- version 2.11.3, configuration /etc/postfix


blackbird ~ # rpm -V postfix       
blackbird ~ # rpm -ql postfix|grep newaliases
/usr/bin/newaliases
/usr/bin/newaliases.postfix
/usr/share/man/man1/newaliases.1.gz
/usr/share/man/man1/newaliases.postfix.1.gz
blackbird ~ # which newaliases                              
/usr/bin/which: no newaliases in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin)
blackbird ~ # ll /usr/bin/newaliases                   
ls: impossible d'accéder à /usr/bin/newaliases: Aucun fichier ou dossier de ce type
blackbird ~ # rpm -q postfix
postfix-2.11.3-1.fc21.x86_64
blackbird ~ #


Version-Release number of selected component (if applicable):
postfix-2.11.3-1.fc21.x86_64


How reproducible:
always


Steps to Reproduce:
1. install f21 beta workstation from live iso
2. install postfix
3. start postfix


Actual results:
postfix il unable to create automaticaly /etc/aliases.db, admin must run postalias command manually to generate this file.


Expected results:

Additional info:

Comment 1 Jaroslav Škarvada 2014-11-24 12:14:36 UTC
It seems to be selinux, reproducer:

boot f21 beta workstation live iso
# dnf install postfix
# newaliases
edit /etc/aliases
# systemctl restart postfix

The newaliases command creates /etc/aliases.db with wrong label and postfix preinit script cannot rewrite it later:

localhost setroubleshoot[2717]: SELinux is preventing postalias from write access on the file al
iases.db. For complete SELinux messages. run sealert -l 23f6f855-478e-45e5-b85e-95024d86f04c
Nov 24 06:54:09 localhost python[2717]: SELinux is preventing postalias from write access on the file aliases.db
.
                                        
                                        *****  Plugin catchall_labels (83.8 confidence) suggests   *************
******
                                        
                                        If you want to allow postalias to have write access on the aliases.db fi
le
                                        Then you need to change the label on aliases.db
                                        Do
                                        # semanage fcontext -a -t FILE_TYPE 'aliases.db'
                                        where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, etc_aliases_t, initrc_tmp_t, mailman_data_t, postfix_data_t, postfix_etc_t, postfix_private_t, postfix_prng_t, postfix_spool_flush_t, postfix_spool_t, postfix_var_run_t, puppet_tmp_t, user_cron_spool_t. 
                                        Then execute: 
                                        restorecon -v 'aliases.db'

Comment 2 Lukas Vrabec 2014-11-24 12:24:23 UTC
Could you attach avc?

Comment 3 Jaroslav Škarvada 2014-11-24 14:16:18 UTC
(In reply to Lukas Vrabec from comment #2)
> Could you attach avc?

type=AVC msg=audit(1416838370.639:450): avc:  denied  { write } for  pid=2500 comm="postalias" name="aliases.db" dev="dm-0" ino=329927 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0

Comment 4 Jaroslav Škarvada 2014-11-24 14:20:46 UTC
The problem: /etc/aliases.db is created with unconfined_u:object_r:etc_t:s0 label by newaliases command. It should be: unconfined_u:object_r:etc_aliases_t:s0 label

Comment 5 Lukas Vrabec 2014-11-26 09:59:55 UTC
Could you attach output of:

$ rpm -q selinux-policy

$ matchpathcon /etc/aliases.db

Comment 6 Jaroslav Škarvada 2014-11-26 10:07:16 UTC
$ rpm -q selinux-policy
selinux-policy-3.13.1-91.fc21.noarch

$ matchpathcon /etc/aliases.db
/etc/aliases.db system_u:object_r:etc_aliases_t:s0

But:
# rm -f /etc/aliases.db
# newaliases
# ls -Z /etc/aliases.db
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/aliases.db

Comment 7 Daniel Walsh 2015-01-02 14:36:14 UTC
restorecon -R -v /etc/aliases*

Comment 8 Jaroslav Škarvada 2015-01-05 10:16:18 UTC
I am no longer able to reproduce the problem using reproducer from comment 6.

Comment 9 Jaroslav Škarvada 2015-01-05 10:21:30 UTC
(In reply to Jaroslav Škarvada from comment #8)
> I am no longer able to reproduce the problem using reproducer from comment 6.

Sorry, it is still reproducible with postfix.

Comment 10 Jaroslav Škarvada 2015-01-05 10:23:30 UTC
(In reply to Daniel Walsh from comment #7)
> restorecon -R -v /etc/aliases*

This fix the resulting label, but the problem is still reproducible with reproducer from comment 6.

Comment 11 Jaroslav Škarvada 2015-01-05 10:33:57 UTC
It works correctly with sendmail, in this case the aliases.db is written by:
/usr/sbin/sendmail.sendmail

It doesn't work with postfix, in this case the aliases.db is written by:
/usr/sbin/sendmail.postfix

Both are targets for newaliases symlink which is managed by alternatives system.

Comment 12 Daniel Walsh 2015-01-05 13:25:05 UTC
What is the file executable that /usr/sbin/sendmail.postfix points at?

ls -Z SENDMAIL.POSTFIXAPP

Comment 13 Jaroslav Škarvada 2015-01-05 13:52:33 UTC
(In reply to Daniel Walsh from comment #12)
> What is the file executable that /usr/sbin/sendmail.postfix points at?
> 
> ls -Z SENDMAIL.POSTFIXAPP

# ls -Z /usr/sbin/sendmail.postfix 
-rwxr-xr-x. root root system_u:object_r:sendmail_exec_t:s0 /usr/sbin/sendmail.postfix

Full link chain:
/usr/bin/newaliases -> /etc/alternatives/mta-newaliases -> /usr/bin/newaliases.postfix -> ../../usr/sbin/sendmail.postfix

Comment 14 Daniel Walsh 2015-01-05 14:00:24 UTC
I wonder if sendmail.postfix creates a temporary file which we do not have filetrans rules for.

Comment 15 Jaroslav Škarvada 2015-01-05 14:18:35 UTC
(In reply to Daniel Walsh from comment #14)
> I wonder if sendmail.postfix creates a temporary file which we do not have
> filetrans rules for.

Yes, this seems to be the problem:
open("/etc/__db.aliases.db", O_RDWR|O_CREAT|O_EXCL, 0644)
...
rename("/etc/__db.aliases.db", "/etc/aliases.db")

Comment 16 Jaroslav Škarvada 2015-01-05 14:21:33 UTC
It relies on libdb, which uses the above construct, so it wasn't apparent in the postfix code.

Comment 17 Daniel Walsh 2015-01-05 20:07:57 UTC
5285540d198dc1505969f6ff9ba9cab9a7825d2d fixes this in git.

Comment 18 Lukas Vrabec 2015-01-16 10:06:40 UTC
commit 04a09f2802c570a82d164cf941b9c9c08dfbdf7c
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Mon Jan 5 15:07:33 2015 -0500

    Make sure __db.aliases.db gets created with the correct label, for use with sendmail.postfix

Comment 19 Fedora Update System 2015-01-27 16:49:03 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.fc21

Comment 20 Fedora Update System 2015-01-30 04:32:00 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1337/selinux-policy-3.13.1-105.fc21
then log in and leave karma (feedback).

Comment 21 Fedora Update System 2015-01-30 23:54:29 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.