RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1983308 - SELinux Blocking Postfix+PostgreSQL
Summary: SELinux Blocking Postfix+PostgreSQL
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-08-16
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: beta
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-17 14:23 UTC by Joseph D. Wagner
Modified: 2023-05-16 11:00 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.3-112.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-16 09:03:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1326 0 None Merged Allow postfix/smtp and postfix/virtual read kerberos key table 2022-11-11 13:55:32 UTC
Github fedora-selinux selinux-policy pull 1483 0 None open Allow postfix/smtpd read kerberos key table 2022-11-25 18:15:05 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:03 UTC

Description Joseph D. Wagner 2021-07-17 14:23:35 UTC 
Description of problem:
SELinux blocks Postfix from reading pgsql config files.
* This error does not occur when SELINUX=permissive
* This error does not appear in Fedora Rawhide using the same configuration.

/var/log/maillog
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: error: open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf is unavailable. open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf lookup error for "${email}"
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: table virtual_mailbox_maps: lookup ${email}: Permission denied
Jul 17 13:09:15 ${domain} postfix/virtual[2488]: 7690E200C9: to=<${email}>, relay=virtual, delay=9530, delays=9529/0.47/0/0.05, dsn=4.3.5, status=deferred (mail system configuration error)

/var/log/audit/audit.log
type=AVC msg=audit(1626517839.448:51822): avc:  denied  { search } for  pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1626517839.450:51823): avc:  denied  { search } for  pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1626520184.708:52371): avc:  denied  { search } for  pid=37326 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626520793.428:106): avc:  denied  { search } for  pid=2019 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626520938.846:201): avc:  denied  { search } for  pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626521009.136:202): avc:  denied  { search } for  pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1

/etc/postfix/main.cf
virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:985
virtual_gid_maps = static:981

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-72.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. useradd -r --comment "Virtual Maildir" -m -s /sbin/nologin vmail
2. postgresql-setup --initdb
3. systemctl start postgresql.service
4. su - postgres
5. psql -U postgres
6. CREATE USER vmailuser;
7. CREATE DATABASE vmaildb WITH OWNER vmailuser;
8. \q
9. psql -d vmaildb -U vmailuser
10. CREATE TABLE vdomains ( domainid int not null generated always as identity, domainname varchar(255) not null, constraint vdomains_pk primary key (domainid), constraint vdomains_domainname_unq unique(domainname) );
11. CREATE TABLE vmailboxes (mailboxid int not null generated always as identity, domainid int not null, username varchar(64) not null, password varchar(128) not null, constraint vmailboxes_pk primary key (mailboxid), constraint vmailboxes_username_domainid_unq unique(username, domainid), foreign key (domainid) references vdomains(domainid) on delete cascade );
12. Insert a few rows to both tables for subsequent testing.
13. \q
14. Create the virtual_mailbox_*.cf files.
15. Add the above virtual* lines to main.cf, but be sure to update uid/gid maps.
16. Restart postfix.
17. Sent a test email to a mailbox in one of the virtual domains.
18. See the error message.

Actual results:
mail stuck in queue

Expected results:
mail delivered to maildir

Additional info:

# sealert -a /var/log/audit/audit.log
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory krb5.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that smtpd should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd
# semodule -X 300 -i my-smtpd.pp


Additional Information:
Source Context                system_u:system_r:postfix_smtpd_t:s0
Target Context                system_u:object_r:krb5_keytab_t:s0
Target Objects                krb5 [ dir ]
Source                        smtpd
Source Path                   /usr/libexec/postfix/smtpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           postfix-3.5.8-1.el8.x86_64
Target RPM Packages          
SELinux Policy RPM            selinux-policy-targeted-3.14.3-72.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-72.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ${domain}
Platform                      Linux ${domain} 4.18.0-315.el8.x86_64 #1
                              SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64
Alert Count                   4
First Seen                    2021-07-17 10:30:39 UTC
Last Seen                     2021-07-17 11:22:18 UTC
Local ID                      e97c8994-d334-4f7c-aa2c-852b241e859b

Raw Audit Messages
type=AVC msg=audit(1626520938.846:201): avc:  denied  { search } for  pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1626520938.846:201): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=56075597d520 a2=0 a3=0 items=0 ppid=2011 pid=2092 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=postfix GID=postfix EUID=postfix SUID=postfix FSUID=postfix EGID=postfix SGID=postfix FSGID=postfix

Hash: smtpd,postfix_smtpd_t,krb5_keytab_t,dir,search

--------------------------------------------------------------------------------

SELinux is preventing /usr/libexec/postfix/virtual from search access on the directory krb5.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that virtual should be allowed search access on the krb5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'virtual' --raw | audit2allow -M my-virtual
# semodule -X 300 -i my-virtual.pp


Additional Information:
Source Context                system_u:system_r:postfix_virtual_t:s0
Target Context                system_u:object_r:krb5_keytab_t:s0
Target Objects                krb5 [ dir ]
Source                        virtual
Source Path                   /usr/libexec/postfix/virtual
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           postfix-3.5.8-1.el8.x86_64
Target RPM Packages          
SELinux Policy RPM            selinux-policy-targeted-3.14.3-72.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-72.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ${domain}
Platform                      Linux ${domain} 4.18.0-315.el8.x86_64 #1
                              SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-07-17 11:19:53 UTC
Last Seen                     2021-07-17 11:23:29 UTC
Local ID                      207512af-fafa-4ad5-a519-8b9e73641f61

Raw Audit Messages
type=AVC msg=audit(1626521009.136:202): avc:  denied  { search } for  pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1626521009.136:202): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=5636a25b0b10 a2=0 a3=0 items=0 ppid=2011 pid=2130 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=virtual exe=/usr/libexec/postfix/virtual subj=system_u:system_r:postfix_virtual_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=postfix SUID=root FSUID=postfix EGID=postfix SGID=root FSGID=postfix

Hash: virtual,postfix_virtual_t,krb5_keytab_t,dir,search
Comment 1 Patrik Koncity 2022-01-26 15:50:47 UTC 
Hi Joseph,

I have a few questions. I'm stucked in reproducing this bug,


> 9. psql -d vmaildb -U vmailuser

when I try to connect vmaildb to vmailuser in database it appear only error "psql: FATAL:  Peer authentication failed for user "vmailuser"
" and I'm not to able continue in other steps. Any clue where can be a issue?


Also can you pleas show me a label of /etc/postfix/pgsql/virtual_mailbox_maps.cf ?

$ ls -Z /etc/postfix/pgsql/virtual_mailbox_maps.cf


Thanks,

Patrik
Comment 2 Joseph D. Wagner 2022-01-26 18:31:12 UTC 
1) You'll need to change the METHOD entry in /var/lib/pgsql/data/pg_hba.conf from "peer" to something like "trust", "md5", or "scram-sha-256". Be sure to setup the postgres account first (unless you go with "trust"), because postgres is the admin one.

2) -rw-r-----. 1 root postfix system_u:object_r:postfix_etc_t:s0 288 Jul 26  2021 /etc/postfix/pgsql/virtual_mailbox_maps.cf
Comment 12 Zdenek Pytela 2022-11-28 13:30:16 UTC 
This commit is needed:
commit 3dd03dad6dfc3d5b07fbd31eec2cbceabfdfd844 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Nov 25 19:11:50 2022 +0100

    Allow postfix/smtpd read kerberos key table
Comment 20 errata-xmlrpc 2023-05-16 09:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Note You need to log in before you can comment on or make changes to this bug.