Description of problem: One of my mailservers running postfix has suddenly stopped sending mail and has been generating the following errors after new selinux packages were installed: Jan 7 12:03:08 postfix/sendmail[3560]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name Jan 7 12:03:08 postfix/sendmail[3560]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success Jan 7 12:10:19 postfix/sendmail[3640]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name Jan 7 12:10:19 postfix/sendmail[3640]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success Jan 7 12:20:04 postfix/sendmail[3675]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name Jan 7 12:20:04 postfix/sendmail[3675]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success Jan 7 13:32:11 postfix/sendmail[3919]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name Jan 7 13:32:11 postfix/sendmail[3919]: fatal: moonpup(500): unable to execute /usr/sbin/postdrop -r: Success I believe it is an issue between postfix and selinux and think selinux somehow got corrupted. If I put selinux in permissive mode with a setenforce 0 I can send mail with no problem. As soon as I put selinux back into enforcing mode, I can no longer send mail and get the above errors. As an fyi, I installed sendmail and did a quick system-switch-mail to use it and sendmail works fine. I switch back to postfix and it still fails. Things I have tried to fix this problem, but didn't work. 1) Stopped postfix, uninstalled and reinstalled. 2) Did a complete filesystem relabel with a touch /.autorelabel and reboot. 3) Did a restorecon -F -R on /etc/postfix, /var/spool/postfix and /usr/sbin/post* This started yesterday after I installed updated packages for selinux-policy and selinux-policy-targeted. Version-Release number of selected component (if applicable): Name : selinux-policy Relocations: (not relocatable) Version : 2.4.6 Vendor: Red Hat, Inc. Release : 255.el5_4.3 Build Date: Wed 16 Dec 2009 06:10:13 AM EST Install Date: Thu 07 Jan 2010 08:37:00 AM EST Build Host: x86-003.build.bos.redhat.com Group : System Environment/Base Source RPM: selinux-policy-2.4.6-255.el5_4.3.src.rpm Size : 7620988 License: GPL Signature : DSA/SHA1, Wed 23 Dec 2009 10:20:33 AM EST, Key ID 5326810137017186 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://serefpolicy.sourceforge.net Summary : SELinux policy configuration Description : SELinux Reference Policy - modular. [root@serrano ~]# rpm -qi selinux-policy-targeted Name : selinux-policy-targeted Relocations: (not relocatable) Version : 2.4.6 Vendor: Red Hat, Inc. Release : 255.el5_4.3 Build Date: Wed 16 Dec 2009 06:10:13 AM EST Install Date: Thu 07 Jan 2010 08:37:04 AM EST Build Host: x86-003.build.bos.redhat.com Group : System Environment/Base Source RPM: selinux-policy-2.4.6-255.el5_4.3.src.rpm Size : 30036324 License: GPL Signature : DSA/SHA1, Wed 23 Dec 2009 10:20:33 AM EST, Key ID 5326810137017186 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://serefpolicy.sourceforge.net Summary : SELinux targeted base policy Description : SELinux Reference policy targeted base module. How reproducible: Always Steps to Reproduce: 1.Install the updated selinux packages 2. 3. Actual results: postifx won't send mail, see errors above Expected results: postfix will send mail Additional info:
This is a regression in 5.4, Will be fixed in 5.5. Here is a work around. Create a file called mypostfix.te with the following content. =================================cut ========================================= policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl }; ============================================================================= # make -f /usr/share/selinux/devel/Makefile # semodule -i mypostfix.pp
Thanks for the workaround, by my make is failing. Is my cut and paste wrong? [root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te /usr/share/selinux/devel/mypostfix.te:1: *** missing separator. Stop. [root@serrano devel]# cat mypostfix.te policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };
(In reply to comment #2) > Thanks for the workaround, by my make is failing. Is my cut and paste wrong? > > [root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te This is a mistake. Should be: # make -f /usr/share/selinux/devel/Makefile # semodule -i mypostfix.pp > /usr/share/selinux/devel/mypostfix.te:1: *** missing separator. Stop. > [root@serrano devel]# cat mypostfix.te > policy_module(mypostfix, 1.0) > > gen_require(` > type sendmail_t; > ') > > allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write > ioctl }; Kevin, also please use the following mypostfix.te file. # cat mypostfix.te policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; type postfix_postdrop_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };
Thank you very much Miroslav, that worked perfectly. I never had to do something like this before, so I just learned something :) Anyway, Postfix will now send mail with selinux in enforcing mode. Thanks again for the quick reply and help, it's much appreciated!
*** Bug 553277 has been marked as a duplicate of this bug. ***
This bug is really annoying, it breaks logwatch sending e-mails on all postfix driven systems with SELinux in enforced mode. Can one increase the priority, I would expect that Red Hat releases an updated SELinux definition shortly to fix this issue.
is'd rather install a testing selinux packages then always modify local policies. is daniel's testing selinux repo contains this fixes?
Not yet, I will post as soon as it is built.
Fixed in selinux-policy-2.4.6-269.el5
Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL5/
I just did an semodule -r mypostfix (from the above workaround) and installed the updated selinux packages from Dan's link above. I can confirm that this has fixed the issue with postfix sending mail with selinux in enforcing mode. Thanks to Dan and Mirosloav, hope to see these packages in the yum update soon ;)
Thanks Daniel for putting these rpms on your site. I confirm that postfix is working back again on all my servers.
I confirm the fix. Please put the updated policy rpm in the updates repo asap :-)
(In reply to comment #1) > This is a regression in 5.4, Will be fixed in 5.5. Waiting until EL5.5 for a fix is unacceptable. EL5.4 shipped with a working SELinux and postfix (selinux-policy-2.4.6-255). The first errata EL5.4 (selinux-policy-2.4.6-255.el5_4.1) did not break postfix. This errata breaks postfix and my significantly large installation. Please back out the change or provide an updated errata.
*** Bug 556666 has been marked as a duplicate of this bug. ***
This _cannot_ wait until EL 5.5. I've just discovered a number of RHEL installations here which suddenly cannot send mails. This is a very nasty problem, and it needs an _urgent_ fix.
Yes, the problem was fixed in selinux-policy-2.4.6-255.el5_4.4. Look at #555793 bug.
Thank you for the quick errata turnaround. Are there instructions for removing the workaround?
Execute: # semodule -r mypostfix It will remove mypostfix local module.
*** Bug 557783 has been marked as a duplicate of this bug. ***
I've applied erratum CLA-2010:0063 which supposedly fixes this bug bit I still received the error: mail tfigueiro.com -s 'TeamSite upgrade' asd . Cc: send-mail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name send-mail: fatal: thiago(500): unable to execute /usr/sbin/postdrop -r: Success I've installed the mypostfix workaround and it fixed the issue.
Thiago, would it be possible to try to remove the mypostfix workaround and then execute # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket and # rpm -qa selinux-policy\* What are your outputs?
Miroslav, forget my comment#26. Satellite and RPM played a dirty trick on me and I still had selinux-policy-2.4.6-255.el5_4.3: # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket # rpm -qa selinux-policy\* selinux-policy-2.4.6-255.el5_4.3 selinux-policy-targeted-2.4.6-255.el5_4.3 selinux-policy-devel-2.4.6-255.el5_4.3 I've updated (again!) to selinux-policy-2.4.6-255.el5_4.4 and it now works: # sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket Found 1 av rules: allow postfix_postdrop_t sendmail_t : unix_stream_socket { ioctl read write getattr }; # sendmail -f tfigueiro.com tfigueiro.com test . # Thank you for your quick reply and apologies for wasting your time. Thiago.
Ok, no problem.
this just happened to me in fedora when updated Mar 10 05:34:54 Updated: selinux-policy-3.3.1-135.fc9.noarch Mar 10 05:35:17 Updated: selinux-policy-targeted-3.3.1-135.fc9.noarch postfix cant send mail with selinux on; trying to implement the fix but getting error; make -f mypostfix.te mypostfix.te:1: *** missing separator. Stop. bump: fedora please update so i can just do "yum update" this code stuff is baffling me! :0
oops; [code]policy_module(mypostfix, 1.0) gen_require(` type sendmail_t; type postfix_postdrop_t; ') allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };[/code] Installed: selinux-policy-devel.noarch 0:3.3.1-135.fc9 and now make works make -f /usr/share/selinux/devel/Makefile Compiling targeted mypostfix module /usr/bin/checkmodule: loading policy configuration from tmp/mypostfix.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 8) to tmp/mypostfix.mod Creating targeted mypostfix.pp policy package rm tmp/mypostfix.mod.fc tmp/mypostfix.mod [root@HOSTNAME ~]# semodule -i mypostfix.pp [root@HOSTNAME ~]# but still have the problem on fedora, even after the above is done, postfix will not send mail with selinux on. have these messages in maillog and message Mar 12 06:03:52 HOSTNAME postfix/cleanup[7581]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: process /usr/libexec/postfix/cleanup pid 7581 exit status 1 Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling] Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232533): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232534): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232535): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232536): avc: denied { connectto } for pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.568:232537): avc: denied { read write } for pid=7581 comm="cleanup" name="unix.cleanup" dev=sda1 ino=8306741 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file hope this helps fix the bug in fedora
Please update to a supported version Fedora 11, 12 or 13. We do not support 9 any longer.
Hi Daniel, I've installed the audit daemon (was previously just using the messages log) Now have errors found in this bug, are these two bugs the same thing? If so do you need to mark them as a duplicate? https://bugzilla.redhat.com/show_bug.cgi?id=448333 (avc: denied { write } for pid=16292 comm="sendmail" and connectto) Regards, Robert.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html
*** Bug 555349 has been marked as a duplicate of this bug. ***