There is an attempt to drop libdb from RHEL (bug 1788480), thus postfix is using lmdb, unfortunately it requires some selinux policy tweaks: type=AVC msg=audit(1696867029.805:507): avc: denied { write } for pid=7342 comm="postalias" name="aliases.lmdb" dev="vda1" ino=2238433 scontext=system_u:system_r:postfix_master_t:s0 tcont type=SYSCALL msg=audit(1696867029.805:507): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562fb57eb670 a2=42 a3=1a4 items=0 ppid=7340 pid=7342 auid=4294967295 uid=0 gid=0 euid type=PROCTITLE msg=audit(1696867029.805:507): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573 type=SERVICE_START msg=audit(1696867031.010:508): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" type=SERVICE_STOP msg=audit(1696867246.266:509): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h type=BPF msg=audit(1696867246.267:510): prog-id=93 op=LOAD type=BPF msg=audit(1696867246.269:511): prog-id=92 op=UNLOAD type=SERVICE_START msg=audit(1696867246.496:512): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" type=SERVICE_STOP msg=audit(1696867286.386:513): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h type=BPF msg=audit(1696867286.387:514): prog-id=94 op=LOAD type=BPF msg=audit(1696867286.389:515): prog-id=93 op=UNLOAD type=AVC msg=audit(1696867286.418:516): avc: denied { map } for pid=7549 comm="postalias" path="/etc/aliases.lmdb" dev="vda1" ino=2489602 scontext=system_u:system_r:postfix_master_t:s0 tc type=SYSCALL msg=audit(1696867286.418:516): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=7547 pid=7549 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 type=PROCTITLE msg=audit(1696867286.418:516): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573 type=SERVICE_START msg=audit(1696867287.622:517): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" type=MAC_STATUS msg=audit(1696867614.606:518): enforcing=0 old_enforcing=1 auid=0 ses=4 enabled=1 old-enabled=1 lsm=selinux res=1^]AUID="root" type=SYSCALL msg=audit(1696867614.606:518): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffd4f109d60 a2=1 a3=0 items=0 ppid=5685 pid=7651 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid type=PROCTITLE msg=audit(1696867614.606:518): proctitle=736574656E666F7263650030 type=SERVICE_STOP msg=audit(1696867622.366:519): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h type=BPF msg=audit(1696867622.367:520): prog-id=95 op=LOAD type=BPF msg=audit(1696867622.369:521): prog-id=94 op=UNLOAD type=AVC msg=audit(1696867622.403:522): avc: denied { map } for pid=7671 comm="postalias" path="/etc/aliases.lmdb" dev="vda1" ino=2238433 scontext=system_u:system_r:postfix_master_t:s0 tc type=SYSCALL msg=audit(1696867622.403:522): arch=c000003e syscall=9 success=yes exit=139741810917376 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=7669 pid=7671 auid=4294967295 uid=0 gid=0 euid=0 s type=PROCTITLE msg=audit(1696867622.403:522): proctitle=706F7374616C696173002D2D006C6D6462002F6574632F616C6961736573 type=SERVICE_START msg=audit(1696867622.613:523): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" type=SERVICE_STOP msg=audit(1696867653.588:524): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" h type=BPF msg=audit(1696867653.589:525): prog-id=96 op=LOAD type=BPF msg=audit(1696867653.591:526): prog-id=95 op=UNLOAD type=SERVICE_START msg=audit(1696867653.822:527): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" TLDR the /etc/aliases.lmdb file requires the same selinux policy settings as is already there for the /etc/aliases.db file. Reproducible: Always Steps to Reproduce: 1. build postfix --without db 2. setenforce 0 3. systemctl postfix start Actual Results: SELinux AVCs as provided in the comment 0 Expected Results: No AVCs
How can I verify the fix is working? # rpm -qa "postfix*" postfix-3.8.2-2.fc40.x86_64 postfix-lmdb-3.8.2-2.fc40.x86_64 Is the target F38?
F38 test build created with command: $ mock -r fedora-38-x86_64 --without=db ./postfix-3.8.2-2.fc40.src.rpm Build/repo avaialable at: https://jskarvad.fedorapeople.org/postfix/ Or install packages manually: # dnf install https://jskarvad.fedorapeople.org/postfix/postfix-3.8.2-2.fc38.x86_64.rpm https://jskarvad.fedorapeople.org/postfix/postfix-lmdb-3.8.2-2.fc38.x86_64.rpm Reproducer: # setenforce 0 # rm -f /etc/aliases.lmdb # systemctl restart postfix Check /var/log/audit.log for above mentioned AVCs. Or: # setenforce 1 # rm -f /etc/aliases.lmdb # systemctl restart postfix # systemctl status postfix ... Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com systemd[1]: Starting postfix.service - Postfix Mail Transport Agent... Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com aliasesdb[2131]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied Oct 10 06:12:03 vm-10-0-186-203.hosted.upshift.rdu2.redhat.com postfix/postalias[2131]: fatal: open database /etc/aliases.lmdb: Permission denied ...
I already had the right packages, was just looking for the change which is needed to trigger the denial and this seems to be # /usr/sbin/postconf -h alias_database lmdb:/etc/aliases Feel free to check with selinux-policy builds available at https://dashboard.packit.dev/results/copr-builds/1064528 (f38) https://dashboard.packit.dev/results/copr-builds/1064530 (f39)
Thanks for the prompt response, but unfortunately it still seems not enough, new reproducer: # systemctl start postfix # useradd testuser # echo hi | sendmail testuser # journalctl ... Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: error: open database /etc/aliases.lmdb: Permission denied Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases is unavailable. open database /etc/aliases.lmdb: Permission denied Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: warning: lmdb:/etc/aliases: lookup of 'testuser' failed Oct 10 09:48:17 vm-10-0-185-214.hosted.upshift.rdu2.redhat.com postfix/local[2993]: DF39F4020B: to=<yarda.upshift.rdu2.redhat.com>, orig_to=<testuser>, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=4.3.0, status=deferred (alias database unavailable) type=SERVICE_START msg=audit(1696945660.159:634): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=postfix comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=AVC msg=audit(1696945697.931:635): avc: denied { map } for pid=2993 comm="local" path="/etc/aliases.lmdb" dev="vda2" ino=162022 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=0 To simplify things, the /etc/aliases.lmdb needs to have the same selinux policy records as the /etc/aliases.db already had.
The new filename shares the label with other similar files, but it is the denial which is different: When I reproduced it, I saw postfix/master requesting map access as a result of postfix restart, your one has postfix/local. It seems reasonable I'll now run all postfix tests we have in selinux-policy, it would help if you ran yours. Use the latest build: https://github.com/fedora-selinux/selinux-policy/pull/1899 -> show all checks
I don't see any error with # rpm -qa postfix* selinux* postfix-lmdb-3.8.2-2.fc38.x86_64 postfix-3.8.2-2.fc38.x86_64 selinux-policy-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch selinux-policy-targeted-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch selinux-policy-devel-40.2-1.20231010171853559297.pr1899.2.g2692b272b.fc40.noarch
Thanks, all tests passed.