Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Hi Joseph,
I have a few questions. I'm stucked in reproducing this bug,
> 9. psql -d vmaildb -U vmailuser
when I try to connect vmaildb to vmailuser in database it appear only error "psql: FATAL: Peer authentication failed for user "vmailuser"
" and I'm not to able continue in other steps. Any clue where can be a issue?
Also can you pleas show me a label of /etc/postfix/pgsql/virtual_mailbox_maps.cf ?
$ ls -Z /etc/postfix/pgsql/virtual_mailbox_maps.cf
Thanks,
Patrik
1) You'll need to change the METHOD entry in /var/lib/pgsql/data/pg_hba.conf from "peer" to something like "trust", "md5", or "scram-sha-256". Be sure to setup the postgres account first (unless you go with "trust"), because postgres is the admin one.
2) -rw-r-----. 1 root postfix system_u:object_r:postfix_etc_t:s0 288 Jul 26 2021 /etc/postfix/pgsql/virtual_mailbox_maps.cf
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:2965
Description of problem: SELinux blocks Postfix from reading pgsql config files. * This error does not occur when SELINUX=permissive * This error does not appear in Fedora Rawhide using the same configuration. /var/log/maillog Jul 17 13:09:15 ${domain} postfix/virtual[2488]: error: open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf is unavailable. open /etc/postfix/pgsql/virtual_mailbox_maps.cf: Permission denied Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf lookup error for "${email}" Jul 17 13:09:15 ${domain} postfix/virtual[2488]: warning: table virtual_mailbox_maps: lookup ${email}: Permission denied Jul 17 13:09:15 ${domain} postfix/virtual[2488]: 7690E200C9: to=<${email}>, relay=virtual, delay=9530, delays=9529/0.47/0/0.05, dsn=4.3.5, status=deferred (mail system configuration error) /var/log/audit/audit.log type=AVC msg=audit(1626517839.448:51822): avc: denied { search } for pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1626517839.450:51823): avc: denied { search } for pid=36372 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1626520184.708:52371): avc: denied { search } for pid=37326 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1626520793.428:106): avc: denied { search } for pid=2019 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1626520938.846:201): avc: denied { search } for pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1626521009.136:202): avc: denied { search } for pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 /etc/postfix/main.cf virtual_mailbox_domains = pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf virtual_mailbox_maps = pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf virtual_mailbox_base = /home/vmail virtual_uid_maps = static:985 virtual_gid_maps = static:981 Version-Release number of selected component (if applicable): selinux-policy-3.14.3-72.el8.noarch How reproducible: 100% Steps to Reproduce: 1. useradd -r --comment "Virtual Maildir" -m -s /sbin/nologin vmail 2. postgresql-setup --initdb 3. systemctl start postgresql.service 4. su - postgres 5. psql -U postgres 6. CREATE USER vmailuser; 7. CREATE DATABASE vmaildb WITH OWNER vmailuser; 8. \q 9. psql -d vmaildb -U vmailuser 10. CREATE TABLE vdomains ( domainid int not null generated always as identity, domainname varchar(255) not null, constraint vdomains_pk primary key (domainid), constraint vdomains_domainname_unq unique(domainname) ); 11. CREATE TABLE vmailboxes (mailboxid int not null generated always as identity, domainid int not null, username varchar(64) not null, password varchar(128) not null, constraint vmailboxes_pk primary key (mailboxid), constraint vmailboxes_username_domainid_unq unique(username, domainid), foreign key (domainid) references vdomains(domainid) on delete cascade ); 12. Insert a few rows to both tables for subsequent testing. 13. \q 14. Create the virtual_mailbox_*.cf files. 15. Add the above virtual* lines to main.cf, but be sure to update uid/gid maps. 16. Restart postfix. 17. Sent a test email to a mailbox in one of the virtual domains. 18. See the error message. Actual results: mail stuck in queue Expected results: mail delivered to maildir Additional info: # sealert -a /var/log/audit/audit.log found 2 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/postfix/smtpd from search access on the directory krb5. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smtpd should be allowed search access on the krb5 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'smtpd' --raw | audit2allow -M my-smtpd # semodule -X 300 -i my-smtpd.pp Additional Information: Source Context system_u:system_r:postfix_smtpd_t:s0 Target Context system_u:object_r:krb5_keytab_t:s0 Target Objects krb5 [ dir ] Source smtpd Source Path /usr/libexec/postfix/smtpd Port <Unknown> Host <Unknown> Source RPM Packages postfix-3.5.8-1.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-72.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-72.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ${domain} Platform Linux ${domain} 4.18.0-315.el8.x86_64 #1 SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64 Alert Count 4 First Seen 2021-07-17 10:30:39 UTC Last Seen 2021-07-17 11:22:18 UTC Local ID e97c8994-d334-4f7c-aa2c-852b241e859b Raw Audit Messages type=AVC msg=audit(1626520938.846:201): avc: denied { search } for pid=2092 comm="smtpd" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1626520938.846:201): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=56075597d520 a2=0 a3=0 items=0 ppid=2011 pid=2092 auid=4294967295 uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm=smtpd exe=/usr/libexec/postfix/smtpd subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=postfix GID=postfix EUID=postfix SUID=postfix FSUID=postfix EGID=postfix SGID=postfix FSGID=postfix Hash: smtpd,postfix_smtpd_t,krb5_keytab_t,dir,search -------------------------------------------------------------------------------- SELinux is preventing /usr/libexec/postfix/virtual from search access on the directory krb5. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that virtual should be allowed search access on the krb5 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'virtual' --raw | audit2allow -M my-virtual # semodule -X 300 -i my-virtual.pp Additional Information: Source Context system_u:system_r:postfix_virtual_t:s0 Target Context system_u:object_r:krb5_keytab_t:s0 Target Objects krb5 [ dir ] Source virtual Source Path /usr/libexec/postfix/virtual Port <Unknown> Host <Unknown> Source RPM Packages postfix-3.5.8-1.el8.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-72.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-72.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ${domain} Platform Linux ${domain} 4.18.0-315.el8.x86_64 #1 SMP Mon Jun 28 19:09:44 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-07-17 11:19:53 UTC Last Seen 2021-07-17 11:23:29 UTC Local ID 207512af-fafa-4ad5-a519-8b9e73641f61 Raw Audit Messages type=AVC msg=audit(1626521009.136:202): avc: denied { search } for pid=2130 comm="virtual" name="krb5" dev="dm-1" ino=131155 scontext=system_u:system_r:postfix_virtual_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1626521009.136:202): arch=x86_64 syscall=openat success=no exit=ENOENT a0=ffffff9c a1=5636a25b0b10 a2=0 a3=0 items=0 ppid=2011 pid=2130 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm=virtual exe=/usr/libexec/postfix/virtual subj=system_u:system_r:postfix_virtual_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=root GID=root EUID=postfix SUID=root FSUID=postfix EGID=postfix SGID=root FSGID=postfix Hash: virtual,postfix_virtual_t,krb5_keytab_t,dir,search