Bug 172188 - postfix does not start up when selinux is enabled
Summary: postfix does not start up when selinux is enabled
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 4
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2005-11-01 12:27 UTC by Thomas Vander Stichele
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-09-07 16:34:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Thomas Vander Stichele 2005-11-01 12:27:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Epiphany/1.6.5

Description of problem:
fresh install, installed postfix, tried to start it, fails

/var/log/audit.log shows:

type=AVC msg=audit(1130848570.363:22): avc:  denied  { write } for  pid=2939 comm="postalias" name="aliases.db" dev=hda2 ino=3418124 scontext=root:system_r:postfix_master_t tcontext=system_u:object_r:etc_t tclass=file
type=SYSCALL msg=audit(1130848570.363:22): arch=c000003e syscall=2 success=no exit=-13 a0=533518 a1=2 a2=1a4 a3=4 items=1 pid=2939 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="postalias" exe="/usr/sbin/postalias"
type=CWD msg=audit(1130848570.363:22):  cwd="/"
type=PATH msg=audit(1130848570.363:22): item=0 name="/etc/aliases.db" flags=101  inode=3418124 dev=03:02 mode=0100640 ouid=0 ogid=51 rdev=00:00

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:
1. install FC4 from scratch
2. possibly upgrade
3. install postfix and start it

Actual Results:  postfix didn't start

Expected Results:  take a wild guess :)

Additional info:

Comment 1 Thomas Woerner 2005-11-11 11:26:12 UTC
This is no postfix problem, assigning to selinux-policy-targeted.

Comment 2 Daniel Walsh 2005-11-30 20:29:50 UTC
/etc/aliases.db has the wrong context on it.

restorecon /etc/aliases.db

Should fix this.  The question is how did the happen?  How did the aliases.db
file get created with the wrong context.

Comment 3 Thomas Vander Stichele 2006-05-07 10:04:32 UTC
FWIW, I just had this again yesterday.  I installed a fresh box with FC4, did
"yum install postfix", then "service postfix start".

So whatever is creating it with the wrong context is inside Fedora, not
something I did, and easily reproducable (depending on how "easy" it is for a
Red Hat engineer to *not* disable SELinux on install :))

I'm assuming this is postmap's fault, which creates the .db files afaik ?


Comment 4 Daniel Walsh 2006-05-09 12:51:46 UTC
YOu should have yum updated selinux-policy first.  The original policy on FC4
did not have the transitions rules correct so that postfix would create the
files with the correct security context.

Comment 5 Thomas Vander Stichele 2006-06-17 19:21:12 UTC
I'm confused here.  All I do is install Fedora, then yum upgrade.  If something
needs to be upgraded before something else, isn't it the package that should
specify so, so that the upgrade happens in the correct order ?

I can't claim to understand what's going on, but it sounds like whatever the
right solution is, it is something the packages should be doing for me. 
Otherwise I don't see how a regular user can get it to work with SELinux enabled.

Comment 6 Thomas Vander Stichele 2006-09-02 10:21:00 UTC
Still confused about this problem, being one of the few people that hack on
Fedora that is actually willing to learn about SELinux ...

Comment 7 Daniel Walsh 2006-09-07 16:34:01 UTC
Yes this is a problem of rpm update, but we do not want to make every package
rely on selinux-policy.  The idea is to eventually get the policy "right" which
I believe we have done a good job of as we approach FC6/RHEL5.  We have also
added a tool setroubleshoot to help people figure out when SELinux is sending an
alert and how to react to that allert.

Note You need to log in before you can comment on or make changes to this bug.