Bug 435112 - Temporary queued mails in postfix can't be delivered
Temporary queued mails in postfix can't be delivered
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.1
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-27 08:31 EST by Robert Scheck
Modified: 2008-05-21 12:07 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:07:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-02-27 08:31:34 EST
Description of problem:
postfix/pickup[4377]: warning: maildrop/A551FC9571B: Permission denied
postfix/pickup[4377]: warning: maildrop/F02C2C958CB: Permission denied
postfix/pickup[4377]: warning: maildrop/2FFACC95788: Permission denied
postfix/pickup[4377]: warning: maildrop/30117C958CA: Permission denied
postfix/pickup[4377]: warning: maildrop/30062C958C4: Permission denied
postfix/pickup[4377]: warning: maildrop/2FFD7C95867: Permission denied

postfix/pickup[4377]: warning: open input file maildrop/A551FC9571B: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/A551FC9571B
postfix/pickup[4377]: warning: open input file maildrop/F02C2C958CB: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/F02C2C958CB
postfix/pickup[4377]: warning: open input file maildrop/2FFACC95788: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/2FFACC95788
postfix/pickup[4377]: warning: open input file maildrop/30117C958CA: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/30117C958CA
postfix/pickup[4377]: warning: open input file maildrop/30062C958C4: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/30062C958C4
postfix/pickup[4377]: warning: open input file maildrop/2FFD7C95867: cannot open
file: Permission denied
postfix/pickup[4377]: warning: if this file was created by Postfix < 1.1, then
you may have to chmod a+r /var/spool/postfix/maildrop/2FFD7C95867
postfix/smtpd[4532]: connect from int-fw.hq.stgt.etes.de[127.0.0.1]

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-106

How reproducible:
Everytime a mail gets temporary queued by postfix and shall be requeued for 
delivering e.g. via postsuper -r ALL.

Actual results:
Temporary queued mails in postfix can't be delivered :-(

Expected results:
Working stuff as without SELinux...

Additional info:
This solves the problem for me:
  allow postfix_pickup_t postfix_spool_t:file { read getattr unlink };
as per following log infos:
type=AVC msg=audit(1204117213.700:33094): avc:  denied  { getattr } for 
pid=4377 comm="pickup" path="/var/spool/postfix/maildrop/A551FC9571B" dev=sda2
ino=13195035 scontext=user_u:system_r:postfix_pickup_t:s0
 tcontext=user_u:object_r:postfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1204117213.700:33094): arch=c000003e syscall=6 success=no
exit=-13 a0=555564f943e0 a1=7ffffc7cd888 a2=7ffffc7cd888 a3=0 items=0 ppid=4375
pid=4377 auid=1005 uid=89 gid=89 euid=89 suid=89
 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="pickup"
exe="/usr/libexec/postfix/pickup" subj=user_u:system_r:postfix_pickup_t:s0
key=(null)

type=AVC msg=audit(1204117513.313:33141): avc:  denied  { read } for  pid=4377
comm="pickup" name="A551FC9571B" dev=sda2 ino=13195035
scontext=user_u:system_r:postfix_pickup_t:s0 tcontext=user_u:object_r:postf
ix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1204117513.313:33141): arch=c000003e syscall=2 success=no
exit=-13 a0=555564f94570 a1=800 a2=0 a3=0 items=0 ppid=4375 pid=4377 auid=1005
uid=89 gid=89 euid=89 suid=89 fsuid=89 egid=89 sg
id=89 fsgid=89 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup"
subj=user_u:system_r:postfix_pickup_t:s0 key=(null)

type=AVC msg=audit(1204117813.774:33182): avc:  denied  { unlink } for  pid=4377
comm="pickup" name="A551FC9571B" dev=sda2 ino=13195035
scontext=user_u:system_r:postfix_pickup_t:s0 tcontext=user_u:object_r:pos
tfix_spool_t:s0 tclass=file
type=SYSCALL msg=audit(1204117813.774:33182): arch=c000003e syscall=87
success=no exit=-13 a0=555564f94570 a1=555564f94bf0 a2=555564f946a0 a3=0 items=0
ppid=4375 pid=4377 auid=1005 uid=89 gid=89 euid=89 suid=8
9 fsuid=89 egid=89 sgid=89 fsgid=89 tty=(none) comm="pickup"
exe="/usr/libexec/postfix/pickup" subj=user_u:system_r:postfix_pickup_t:s0
key=(null)
Comment 1 Daniel Walsh 2008-02-27 17:06:13 EST
restorecon -R -v /var/spool/postfix/maildrop

Should fix.  Not sure how this is getting mislabeled.  Is there something
deleting and recreating this directory?
Comment 2 Robert Scheck 2008-02-27 17:30:22 EST
It was just a normal installation with sendmail. Removed sendmail and 
installed postfix. Not more and not less.
Comment 3 Daniel Walsh 2008-02-27 22:59:45 EST
Did the restorecon fix the labeling?

If not could you try the policy on 

http://people.redhat.com/dwalsh/SELinux/RHEL5

This is a preview of the U2 policy.
Comment 4 Robert Scheck 2008-02-28 04:53:14 EST
restorecon -R -v /var/spool/postfix/maildrop caused no output and return code is 
zero. AFAIK relabeling (if any is done) causes output.
Comment 5 Daniel Walsh 2008-02-28 09:34:56 EST
Ok try the U2 policy, this must have been fixed post u1.

Fixed in  selinux-policy-2.4.6-122.el5
Comment 6 RHEL Product and Program Management 2008-03-05 17:07:18 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 errata-xmlrpc 2008-05-21 12:07:14 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.