The SELinux change from bug 2242898 seems to be incomplete, only permitting Postfix to map /etc/aliases.lmdb; any other LMDB database it attempts to open has the same problem, e.g.: Nov 03 16:25:28 audit[294288]: AVC avc: denied { map } for pid=294288 comm="postscreen" path="/var/lib/postfix/postscreen_cache.lmdb" dev="dm-1" ino=25200449 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_data_t:s0 tclass=file permissive=0 Nov 03 16:25:28 postfix/postscreen[294288]: error: open database /var/lib/postfix/postscreen_cache.lmdb: Permission denied Nov 03 16:25:28 postfix/postscreen[294288]: warning: lmdb:/var/lib/postfix/postscreen_cache is unavailable. open database /var/lib/postfix/postscreen_cache.lmdb: Permission denied Nov 03 16:25:28 postfix/postscreen[294288]: warning: lmdb:/var/lib/postfix/postscreen_cache is unavailable. open database /var/lib/postfix/postscreen_cache.lmdb: Permission denied Nov 03 16:25:28 postfix/postscreen[294288]: warning: lmdb:/var/lib/postfix/postscreen_cache: sequence error Nov 03 16:25:28 postfix/postscreen[294288]: warning: lmdb:/var/lib/postfix/postscreen_cache: cache cleanup scan terminated due to error Nov 03 16:25:28 postfix/postscreen[294288]: cache lmdb:/var/lib/postfix/postscreen_cache partial cleanup: retained=0 dropped=0 entries This is from an up to date Fedora 38 system, but appears to affect all current branches. Note that the path shown is just one example; all LMDB databases should work, at least provided they're in locations Postfix is otherwise allowed to access. Reproducible: Always
Thanks for the report. The fix was complete, but just within the range how it was reported, and no additional tests show further denials.
Fair enough, then the report was incomplete -- either way, it seems the postfix-lmdb package hasn't seen much real-world use if problems like this still exist. Cc: Jaroslav -- is a similar default database type change intended for Fedora at some point?
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1953 You can try a scratchbuild attached to the PR or wait a few days until it gets to Fedora, our test did not find any issue.
FEDORA-2023-aeccf7b447 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447
selinux-policy-39.3-1 avoids the initial postscreen_cache issue on Fedora 39; however, I'm not convinced that the change is complete or correct. At minimum, the change from bug 2242898 is now redundant, and should have been reverted. postfix_master_t seems like it should have been reserved for the master process alone, yet it appears that a number of ancillary processes are running in that context -- pretty much everything newer than early Postfix 2.x releases. Blame output indicates that every one of the extant transitions dates back to at least an 11 year old "Fix typos" commit, at best... Is this policy actually being maintained, or are changes just "make the AVC go away"?
FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-aeccf7b447` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-aeccf7b447 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
This would be a fantastic time to read comment 5. This "fix" is incorrect and incomplete.
(In reply to Rob Foehl from comment #2) > Fair enough, then the report was incomplete -- either way, it seems the > postfix-lmdb package hasn't seen much real-world use if problems like this > still exist. > > Cc: Jaroslav -- is a similar default database type change intended for > Fedora at some point? I would like to have the bdb as the default as long as it's the upstream default, bdb is available in Fedora and being the default is allowed by Fedora policies.
I.e. I expect that at some point it will be switched. Unfortunately, I am not selinux expert. In the original selinux bug I suggested duplication of the bdb rules for the lmdb, which I though should be enough.
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
Sigh. I'll refer to comment #5 again, since this remains incorrect and incomplete.