Bug 2142534 - pypolicyd-spf causing selinux errors
Summary: pypolicyd-spf causing selinux errors
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: pypolicyd-spf
Version: epel8
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Bojan Smojver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-14 11:16 UTC by Herald van der Breggen
Modified: 2022-12-23 00:36 UTC (History)
5 users (show)

Fixed In Version: pypolicyd-spf-2.9.3-4.fc35 pypolicyd-spf-2.9.3-4.fc37 pypolicyd-spf-2.9.3-4.el8 pypolicyd-spf-2.9.3-4.fc36 pypolicyd-spf-2.9.3-4.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-26 00:46:07 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-657 0 None None None 2022-11-14 11:52:16 UTC

Description Herald van der Breggen 2022-11-14 11:16:16 UTC
Description of problem:
After updating the pypolicyd-spf package by this one
 
pypolicyd-spf / noarch / 2.9.3-1.el8 / epel / 73 k

the mail server was not able to receive mail.

Errors:
SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: [.....]

and

"Recipient address rejected: Server configuration problem; "

For now I removed the spf check from the postfix configuration.

Version-Release number of selected component (if applicable):


How reproducible:
configure postfix to use spf and watch incoming mail.


Steps to Reproduce:
1. configure postfix with spf as described in https://www.linuxbabe.com/redhat/set-up-spf-dkim-postfix-centos

2.update to 2.9.3-1.el8
3.

Actual results:
mail server not able to receive mail

Expected results:


Additional info:
a working mail server

Comment 1 Miro Hrončok 2022-11-14 11:45:45 UTC
I'm going to assume this needs to be fixed in pypolicyd-spf. Let us know if you think something is actually broken in Python.

Comment 2 Bojan Smojver 2022-11-14 11:57:53 UTC
Can you attach relevant parts of audit log after running in permissive mode?

Comment 3 Herald van der Breggen 2022-11-14 12:17:15 UTC
After sending a test-email from google to my mail server:

Nov 14 13:12:45 vps2 postfix/smtpd[4494]: connect from mail-pf1-f181.google.com[209.85.210.181]
Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING
Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING
Nov 14 13:12:46 vps2 spamass-milter[925]: Could not retrieve sendmail macro "i"!.  Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results
Nov 14 13:12:47 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1
Nov 14 13:12:47 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Nov 14 13:12:48 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: problem talking to server private/policyd-spf: Connection reset by peer
Nov 14 13:12:48 vps2 postfix/smtpd[4494]: NOQUEUE: reject: RCPT from mail-pf1-f181.google.com[209.85.210.181]: 451 4.3.5 <herald>: Recipient address rejected: Server configuration problem; from=<heraldvander> to=<herald> proto=ESMTP helo=<mail-pf1-f181.google.com>

Comment 4 Herald van der Breggen 2022-11-14 12:26:20 UTC
this was of course the mail log, not the audit log.

journalctl shows:

nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: sealert -l a197564e-2191-40e3-82cd-daf029c0a>
nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig.
                                           
                                           *****  Plugin catchall (100. confidence) suggests   **************************
                                           
                                           If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default.
                                           Then you should report this as a bug.
                                           You can generate a local policy module to allow this access.
                                           Do
                                           allow this access for now by executing:
                                           # ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf
                                           # semodule -X 300 -i my-policydspf.pp


sealert shows:
    [root@vps2 audit]# sealert -l a197564e-2191-40e3-82cd-daf029c0ad62
SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf
# semodule -X 300 -i my-policydspf.pp


Additional Information:
Source Context                system_u:system_r:postfix_master_t:s0
Target Context                system_u:object_r:ldconfig_exec_t:s0
Target Objects                /usr/sbin/ldconfig [ file ]
Source                        policyd-spf
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          vps2
Source RPM Packages           glibc-2.28-216.el8.x86_64
Target RPM Packages           glibc-2.28-216.el8.x86_64
SELinux Policy RPM            selinux-policy-targeted-3.14.3-110.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-110.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     vps2
Platform                      Linux vps2 4.18.0-408.el8.x86_64 #1 SMP Mon Jul 18
                              17:42:52 UTC 2022 x86_64 x86_64
Alert Count                   38
First Seen                    2022-11-14 11:41:34 CET
Last Seen                     2022-11-14 13:14:55 CET
Local ID                      a197564e-2191-40e3-82cd-daf029c0ad62

Raw Audit Messages
type=AVC msg=audit(1668428095.984:289): avc:  denied  { execute_no_trans } for  pid=4600 comm="policyd-spf" path="/usr/sbin/ldconfig" dev="vda2" ino=4092757 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1668428095.984:289): arch=x86_64 syscall=execve success=yes exit=0 a0=7fd256054420 a1=7fd25602a078 a2=7fd25602ae10 a3=18 items=0 ppid=4599 pid=4600 auid=4294967295 uid=975 gid=970 euid=975 suid=975 fsuid=975 egid=970 sgid=970 fsgid=970 tty=(none) ses=4294967295 comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:postfix_master_t:s0 key=(null)

Hash: policyd-spf,postfix_master_t,ldconfig_exec_t,file,execute_no_trans
                                   
But anyway, it looks like the selinux errors (that are logged in high volume) are not the cause for not receiving email anymore. So I needed to disable spf-checking again.

Comment 5 Bojan Smojver 2022-11-14 12:29:03 UTC
Please test the build from koji, referenced in -2 that I submitted for testing a short time ago. A dependency was missed in -1 and you may be hitting that too.

Comment 6 Herald van der Breggen 2022-11-14 12:39:39 UTC
Yes, pypolicyd-spf-2.9.3-2.el8 from Koji works! 
Thanks a lot!

Comment 7 Fedora Update System 2022-11-14 12:50:09 UTC
FEDORA-EPEL-2022-f566a6d7b9 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9

Comment 8 Fedora Update System 2022-11-15 03:10:07 UTC
FEDORA-EPEL-2022-f566a6d7b9 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-11-16 03:06:31 UTC
FEDORA-EPEL-2022-f566a6d7b9 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-11-17 03:21:59 UTC
FEDORA-EPEL-2022-a969761527 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527

Comment 11 Fedora Update System 2022-11-17 03:22:16 UTC
FEDORA-2022-ffbe9dc2a1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1

Comment 12 Fedora Update System 2022-11-17 03:22:16 UTC
FEDORA-2022-bf48bba014 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014

Comment 13 Fedora Update System 2022-11-17 03:26:43 UTC
FEDORA-2022-6c3bcb04d7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7

Comment 14 Fedora Update System 2022-11-17 03:27:46 UTC
FEDORA-EPEL-2022-cae1f70fce has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce

Comment 15 Fedora Update System 2022-11-18 01:22:08 UTC
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bf48bba014`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 16 Fedora Update System 2022-11-18 01:57:23 UTC
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-ffbe9dc2a1`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Fedora Update System 2022-11-18 02:22:58 UTC
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 18 Fedora Update System 2022-11-18 02:30:31 UTC
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 19 Fedora Update System 2022-11-18 02:44:37 UTC
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-6c3bcb04d7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 20 Fedora Update System 2022-11-26 00:46:07 UTC
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Fedora Update System 2022-11-26 02:11:48 UTC
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 22 Fedora Update System 2022-11-26 02:24:06 UTC
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 23 Fedora Update System 2022-11-26 02:41:41 UTC
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 24 Fedora Update System 2022-12-23 00:36:31 UTC
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.