Description of problem: After updating the pypolicyd-spf package by this one pypolicyd-spf / noarch / 2.9.3-1.el8 / epel / 73 k the mail server was not able to receive mail. Errors: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: [.....] and "Recipient address rejected: Server configuration problem; " For now I removed the spf check from the postfix configuration. Version-Release number of selected component (if applicable): How reproducible: configure postfix to use spf and watch incoming mail. Steps to Reproduce: 1. configure postfix with spf as described in https://www.linuxbabe.com/redhat/set-up-spf-dkim-postfix-centos 2.update to 2.9.3-1.el8 3. Actual results: mail server not able to receive mail Expected results: Additional info: a working mail server
I'm going to assume this needs to be fixed in pypolicyd-spf. Let us know if you think something is actually broken in Python.
Can you attach relevant parts of audit log after running in permissive mode?
After sending a test-email from google to my mail server: Nov 14 13:12:45 vps2 postfix/smtpd[4494]: connect from mail-pf1-f181.google.com[209.85.210.181] Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING Nov 14 13:12:45 vps2 postfix/smtpd[4494]: discarding EHLO keywords: CHUNKING Nov 14 13:12:46 vps2 spamass-milter[925]: Could not retrieve sendmail macro "i"!. Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results Nov 14 13:12:47 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1 Nov 14 13:12:47 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name Nov 14 13:12:48 vps2 postfix/spawn[4498]: warning: command /usr/libexec/postfix/policyd-spf exit status 1 Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: premature end-of-input on private/policyd-spf while reading input attribute name Nov 14 13:12:48 vps2 postfix/smtpd[4494]: warning: problem talking to server private/policyd-spf: Connection reset by peer Nov 14 13:12:48 vps2 postfix/smtpd[4494]: NOQUEUE: reject: RCPT from mail-pf1-f181.google.com[209.85.210.181]: 451 4.3.5 <herald>: Recipient address rejected: Server configuration problem; from=<heraldvander> to=<herald> proto=ESMTP helo=<mail-pf1-f181.google.com>
this was of course the mail log, not the audit log. journalctl shows: nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. For complete SELinux messages run: sealert -l a197564e-2191-40e3-82cd-daf029c0a> nov 14 13:12:55 vps2 setroubleshoot[4512]: SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf # semodule -X 300 -i my-policydspf.pp sealert shows: [root@vps2 audit]# sealert -l a197564e-2191-40e3-82cd-daf029c0ad62 SELinux is preventing /usr/libexec/platform-python3.6 from execute_no_trans access on the file /usr/sbin/ldconfig. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that platform-python3.6 should be allowed execute_no_trans access on the ldconfig file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'policyd-spf' --raw | audit2allow -M my-policydspf # semodule -X 300 -i my-policydspf.pp Additional Information: Source Context system_u:system_r:postfix_master_t:s0 Target Context system_u:object_r:ldconfig_exec_t:s0 Target Objects /usr/sbin/ldconfig [ file ] Source policyd-spf Source Path /usr/libexec/platform-python3.6 Port <Unknown> Host vps2 Source RPM Packages glibc-2.28-216.el8.x86_64 Target RPM Packages glibc-2.28-216.el8.x86_64 SELinux Policy RPM selinux-policy-targeted-3.14.3-110.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-110.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name vps2 Platform Linux vps2 4.18.0-408.el8.x86_64 #1 SMP Mon Jul 18 17:42:52 UTC 2022 x86_64 x86_64 Alert Count 38 First Seen 2022-11-14 11:41:34 CET Last Seen 2022-11-14 13:14:55 CET Local ID a197564e-2191-40e3-82cd-daf029c0ad62 Raw Audit Messages type=AVC msg=audit(1668428095.984:289): avc: denied { execute_no_trans } for pid=4600 comm="policyd-spf" path="/usr/sbin/ldconfig" dev="vda2" ino=4092757 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1668428095.984:289): arch=x86_64 syscall=execve success=yes exit=0 a0=7fd256054420 a1=7fd25602a078 a2=7fd25602ae10 a3=18 items=0 ppid=4599 pid=4600 auid=4294967295 uid=975 gid=970 euid=975 suid=975 fsuid=975 egid=970 sgid=970 fsgid=970 tty=(none) ses=4294967295 comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:postfix_master_t:s0 key=(null) Hash: policyd-spf,postfix_master_t,ldconfig_exec_t,file,execute_no_trans But anyway, it looks like the selinux errors (that are logged in high volume) are not the cause for not receiving email anymore. So I needed to disable spf-checking again.
Please test the build from koji, referenced in -2 that I submitted for testing a short time ago. A dependency was missed in -1 and you may be hitting that too.
Yes, pypolicyd-spf-2.9.3-2.el8 from Koji works! Thanks a lot!
FEDORA-EPEL-2022-f566a6d7b9 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9
FEDORA-EPEL-2022-f566a6d7b9 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-f566a6d7b9 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-a969761527 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527
FEDORA-2022-ffbe9dc2a1 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1
FEDORA-2022-bf48bba014 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014
FEDORA-2022-6c3bcb04d7 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7
FEDORA-EPEL-2022-cae1f70fce has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bf48bba014` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bf48bba014 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-ffbe9dc2a1` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ffbe9dc2a1 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-a969761527 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-cae1f70fce See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-6c3bcb04d7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-6c3bcb04d7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-bf48bba014 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-6c3bcb04d7 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2022-cae1f70fce has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-ffbe9dc2a1 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2022-a969761527 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report.