2242898 – Please add support for the /etc/aliases.lmdb

Bug 2242898 - Please add support for the /etc/aliases.lmdb

Summary: Please add support for the /etc/aliases.lmdb

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1788480
TreeView+	depends on / blocked

Reported:	2023-10-09 16:30 UTC by Jaroslav Škarvada
Modified:	2023-10-20 15:46 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-10-20 15:46:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1899	0	None	open	Label /etc/aliases.lmdb with etc_aliases_t	2023-10-10 12:54:30 UTC

Description Jaroslav Škarvada 2023-10-09 16:30:34 UTC

There is an attempt to drop libdb from RHEL (bug 1788480), thus postfix is using lmdb, unfortunately it requires some selinux policy tweaks:

type=AVC msg=audit(1696867029.805:507): avc:  denied  { write } for  pid=7342 comm="postalias" name="aliases.lmdb" dev="vda1" ino=2238433 scontext=system_u:system_r:postfix_master_t:s0 tcont
type=SYSCALL msg=audit(1696867029.805:507): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562fb57eb670 a2=42 a3=1a4 items=0 ppid=7340 pid=7342 auid=4294967295 uid=0 gid=0 euid
type=PROCTITLE msg=audit(1696867029.805:507): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573
type=SERVICE_START msg=audit(1696867031.010:508): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd"
type=SERVICE_STOP msg=audit(1696867246.266:509): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h
type=BPF msg=audit(1696867246.267:510): prog-id=93 op=LOAD
type=BPF msg=audit(1696867246.269:511): prog-id=92 op=UNLOAD
type=SERVICE_START msg=audit(1696867246.496:512): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd"
type=SERVICE_STOP msg=audit(1696867286.386:513): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h
type=BPF msg=audit(1696867286.387:514): prog-id=94 op=LOAD
type=BPF msg=audit(1696867286.389:515): prog-id=93 op=UNLOAD
type=AVC msg=audit(1696867286.418:516): avc:  denied  { map } for  pid=7549 comm="postalias" path="/etc/aliases.lmdb" dev="vda1" ino=2489602 scontext=system_u:system_r:postfix_master_t:s0 tc
type=SYSCALL msg=audit(1696867286.418:516): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=7547 pid=7549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
type=PROCTITLE msg=audit(1696867286.418:516): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573
type=SERVICE_START msg=audit(1696867287.622:517): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd"
type=MAC_STATUS msg=audit(1696867614.606:518): enforcing=0 old_enforcing=1 auid=0 ses=4 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root"
type=SYSCALL msg=audit(1696867614.606:518): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffd4f109d60 a2=1 a3=0 items=0 ppid=5685 pid=7651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid
type=PROCTITLE msg=audit(1696867614.606:518): proctitle=736574656E666F7263650030
type=SERVICE_STOP msg=audit(1696867622.366:519): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h
type=BPF msg=audit(1696867622.367:520): prog-id=95 op=LOAD
type=BPF msg=audit(1696867622.369:521): prog-id=94 op=UNLOAD
type=AVC msg=audit(1696867622.403:522): avc:  denied  { map } for  pid=7671 comm="postalias" path="/etc/aliases.lmdb" dev="vda1" ino=2238433 scontext=system_u:system_r:postfix_master_t:s0 tc
type=SYSCALL msg=audit(1696867622.403:522): arch=c000003e syscall=9 success=yes exit=139741810917376 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=7669 pid=7671 auid=4294967295 uid=0 gid=0 euid=0 s
type=PROCTITLE msg=audit(1696867622.403:522): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573
type=SERVICE_START msg=audit(1696867622.613:523): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd"
type=SERVICE_STOP msg=audit(1696867653.588:524): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h
type=BPF msg=audit(1696867653.589:525): prog-id=96 op=LOAD
type=BPF msg=audit(1696867653.591:526): prog-id=95 op=UNLOAD
type=SERVICE_START msg=audit(1696867653.822:527): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd"

TLDR the /etc/aliases.lmdb file requires the same selinux policy settings as is already there for the /etc/aliases.db file.


Reproducible: Always

Steps to Reproduce:
1. build postfix --without db
2. setenforce 0
3. systemctl postfix start
Actual Results:  
SELinux AVCs as provided in the comment 0

Expected Results:  
No AVCs

Comment 1 Zdenek Pytela 2023-10-10 07:01:08 UTC

How can I verify the fix is working?

# rpm -qa "postfix*"
postfix-3.8.2-2.fc40.x86_64
postfix-lmdb-3.8.2-2.fc40.x86_64

Is the target F38?

Comment 2 Jaroslav Škarvada 2023-10-10 10:15:04 UTC

F38 test build created with command:
$ mock -r fedora-38-x86_64 --without=db ./postfix-3.8.2-2.fc40.src.rpm

Build/repo avaialable at:
https://jskarvad.fedorapeople.org/postfix/

Or install packages manually:
# dnf install https://jskarvad.fedorapeople.org/postfix/postfix-3.8.2-2.fc38.x86_64.rpm https://jskarvad.fedorapeople.org/postfix/postfix-lmdb-3.8.2-2.fc38.x86_64.rpm

Reproducer:
# setenforce 0
# rm -f /etc/aliases.lmdb
# systemctl restart postfix

Check /var/log/audit.log for above mentioned AVCs.

Or:

# setenforce 1
# rm -f /etc/aliases.lmdb
# systemctl restart postfix
# systemctl status postfix
...
Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com systemd[1]: Starting postfix.service - Postfix Mail Transport Agent...
Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com aliasesdb[2131]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied
Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com postfix/postalias[2131]: fatal: open database /etc/aliases.lmdb: Permission denied
...

Comment 3 Zdenek Pytela 2023-10-10 12:54:31 UTC

I already had the right packages, was just looking for the change which is needed to trigger the denial and this seems to be
# /usr/sbin/postconf -h alias_database
lmdb:/etc/aliases

Feel free to check with selinux-policy builds available at 
https://dashboard.packit.dev/results/copr-builds/1064528 (f38)
https://dashboard.packit.dev/results/copr-builds/1064530 (f39)

Comment 4 Jaroslav Škarvada 2023-10-10 13:54:05 UTC

Thanks for the prompt response, but unfortunately it still seems not enough, new reproducer:

# systemctl start postfix
# useradd testuser
# echo hi | sendmail testuser
# journalctl
...
Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: error: open database /etc/aliases.lmdb: Permission denied
Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases is unavailable. open database /etc/aliases.lmdb: Permission denied
Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases: lookup of 'testuser' failed
Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: DF39F4020B: to=<yarda.upshift.rdu2.redhat.com>, orig_to=<testuser>, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=4.3.0, status=deferred (alias database unavailable)

type=SERVICE_START msg=audit(1696945660.159:634): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=AVC msg=audit(1696945697.931:635): avc:  denied  { map } for  pid=2993 comm="local" path="/etc/aliases.lmdb" dev="vda2" ino=162022 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=0

To simplify things, the /etc/aliases.lmdb needs to have the same selinux policy records as the /etc/aliases.db already had.

Comment 5 Zdenek Pytela 2023-10-10 17:26:09 UTC

The new filename shares the label with other similar files, but it is the denial which is different: When I reproduced it, I saw postfix/master requesting map access as a result of postfix restart, your one has postfix/local.
It seems reasonable I'll now run all postfix tests we have in selinux-policy, it would help if you ran yours.

Use the latest build:
https://github.com/fedora-selinux/selinux-policy/pull/1899
-> show all checks

Comment 6 Zdenek Pytela 2023-10-10 17:36:08 UTC

I don't see any error  with

# rpm -qa postfix* selinux*
postfix-lmdb-3.8.2-2.fc38.x86_64
postfix-3.8.2-2.fc38.x86_64
selinux-policy-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch
selinux-policy-targeted-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch
selinux-policy-devel-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch

Comment 7 Jaroslav Škarvada 2023-10-17 17:53:08 UTC

Thanks, all tests passed.

Note You need to log in before you can comment on or make changes to this bug.