Bug 553492 - New selinux packages broke Postfix
New selinux packages broke Postfix
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: Regression, ZStream
: 553277 555349 556666 557783 (view as bug list)
Depends On:
Blocks: 555778 555793
  Show dependency treegraph
 
Reported: 2010-01-07 20:51 EST by Kevin Lisciotti
Modified: 2013-01-10 21:40 EST (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 555778 (view as bug list)
Environment:
Last Closed: 2010-03-30 03:50:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Lisciotti 2010-01-07 20:51:12 EST
Description of problem:

One of my mailservers running postfix has suddenly stopped sending mail and has been generating the following errors after new selinux packages were installed:

Jan 7 12:03:08 postfix/sendmail[3560]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:03:08 postfix/sendmail[3560]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 12:10:19 postfix/sendmail[3640]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:10:19 postfix/sendmail[3640]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 12:20:04 postfix/sendmail[3675]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:20:04 postfix/sendmail[3675]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 13:32:11 postfix/sendmail[3919]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 13:32:11 postfix/sendmail[3919]: fatal: moonpup(500): unable to execute /usr/sbin/postdrop -r: Success

I believe it is an issue between postfix and selinux and think selinux somehow got corrupted. If I put selinux in permissive mode with a setenforce 0 I can send mail with no problem. As soon as I put selinux back into enforcing mode, I can no longer send mail and get the above errors. As an fyi, I installed sendmail and did a quick system-switch-mail to use it and sendmail works fine. I switch back to postfix and it still fails.

Things I have tried to fix this problem, but didn't work.

1) Stopped postfix, uninstalled and reinstalled.

2) Did a complete filesystem relabel with a touch /.autorelabel and reboot.

3) Did a restorecon -F -R on /etc/postfix, /var/spool/postfix and /usr/sbin/post*

This started yesterday after I installed updated packages for selinux-policy and selinux-policy-targeted.

Version-Release number of selected component (if applicable):
Name        : selinux-policy               Relocations: (not relocatable)
Version     : 2.4.6                             Vendor: Red Hat, Inc.
Release     : 255.el5_4.3                   Build Date: Wed 16 Dec 2009 06:10:13 AM EST
Install Date: Thu 07 Jan 2010 08:37:00 AM EST      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: selinux-policy-2.4.6-255.el5_4.3.src.rpm
Size        : 7620988                          License: GPL
Signature   : DSA/SHA1, Wed 23 Dec 2009 10:20:33 AM EST, Key ID 5326810137017186
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://serefpolicy.sourceforge.net
Summary     : SELinux policy configuration
Description :
SELinux Reference Policy - modular.


[root@serrano ~]# rpm -qi selinux-policy-targeted
Name        : selinux-policy-targeted      Relocations: (not relocatable)
Version     : 2.4.6                             Vendor: Red Hat, Inc.
Release     : 255.el5_4.3                   Build Date: Wed 16 Dec 2009 06:10:13 AM EST
Install Date: Thu 07 Jan 2010 08:37:04 AM EST      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: selinux-policy-2.4.6-255.el5_4.3.src.rpm
Size        : 30036324                         License: GPL
Signature   : DSA/SHA1, Wed 23 Dec 2009 10:20:33 AM EST, Key ID 5326810137017186
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://serefpolicy.sourceforge.net
Summary     : SELinux targeted base policy
Description :
SELinux Reference policy targeted base module.


How reproducible:

Always

Steps to Reproduce:
1.Install the updated selinux packages
2.
3.
  
Actual results:
postifx won't send mail, see errors above

Expected results:
postfix will send mail

Additional info:
Comment 1 Daniel Walsh 2010-01-08 09:20:45 EST
This is a regression in 5.4,  Will be fixed in 5.5.  

Here is a work around.

Create a file called mypostfix.te with the following content.

=================================cut =========================================
policy_module(mypostfix, 1.0)

gen_require(`
	type sendmail_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };
=============================================================================

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp
Comment 2 Kevin Lisciotti 2010-01-08 10:49:09 EST
Thanks for the workaround, by my make is failing. Is my cut and paste wrong?

[root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te 
/usr/share/selinux/devel/mypostfix.te:1: *** missing separator.  Stop.
[root@serrano devel]# cat mypostfix.te 
policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };
Comment 3 Miroslav Grepl 2010-01-08 14:23:17 EST
(In reply to comment #2)
> Thanks for the workaround, by my make is failing. Is my cut and paste wrong?
> 
> [root@serrano devel]# make -f /usr/share/selinux/devel/mypostfix.te
This is a mistake. Should be:

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypostfix.pp 

> /usr/share/selinux/devel/mypostfix.te:1: *** missing separator.  Stop.
> [root@serrano devel]# cat mypostfix.te 
> policy_module(mypostfix, 1.0)
> 
> gen_require(`
>  type sendmail_t;
> ')
> 
> allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
> ioctl };  

Kevin,
also please use the following mypostfix.te file.

# cat mypostfix.te 
policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write ioctl };
Comment 4 Kevin Lisciotti 2010-01-08 14:36:22 EST
Thank you very much Miroslav, that worked perfectly. I never had to do something like this before, so I just learned something :) Anyway, Postfix will now send mail with selinux in enforcing mode. Thanks again for the quick reply and help, it's much appreciated!
Comment 5 Daniel Walsh 2010-01-09 08:50:44 EST
*** Bug 553277 has been marked as a duplicate of this bug. ***
Comment 6 Peter Bieringer 2010-01-11 06:54:07 EST
This bug is really annoying, it breaks logwatch sending e-mails on all postfix driven systems with SELinux in enforced mode.

Can one increase the priority, I would expect that Red Hat releases an updated SELinux definition shortly to fix this issue.
Comment 7 Levente Farkas 2010-01-11 11:45:18 EST
is'd rather install a testing selinux packages then always modify local policies. is daniel's testing selinux repo contains this fixes?
Comment 8 Daniel Walsh 2010-01-11 11:48:01 EST
Not yet,  I will post as soon as it is built.
Comment 9 Miroslav Grepl 2010-01-11 11:52:24 EST
Fixed in selinux-policy-2.4.6-269.el5
Comment 12 Daniel Walsh 2010-01-11 12:45:00 EST
Preview release available on 

http://people.redhat.com/dwalsh/SELinux/RHEL5/
Comment 13 Kevin Lisciotti 2010-01-11 14:19:52 EST
I just did an semodule -r mypostfix (from the above workaround) and installed the updated selinux packages from Dan's link above.

I can confirm that this has fixed the issue with postfix sending mail with selinux in enforcing mode. Thanks to Dan and Mirosloav, hope to see these packages in the yum update soon ;)
Comment 14 Jorge Fábregas 2010-01-12 19:07:48 EST
Thanks Daniel for putting these rpms on your site. I confirm that postfix is working back again on all my servers.
Comment 16 Ferry Huberts 2010-01-15 04:23:14 EST
I confirm the fix.
Please put the updated policy rpm in the updates repo asap :-)
Comment 17 Michael Arnold 2010-01-15 08:41:12 EST
(In reply to comment #1)
> This is a regression in 5.4,  Will be fixed in 5.5.  

Waiting until EL5.5 for a fix is unacceptable.  EL5.4 shipped with a working
SELinux and postfix (selinux-policy-2.4.6-255).  The first errata EL5.4
(selinux-policy-2.4.6-255.el5_4.1) did not break postfix.  This errata breaks
postfix and my significantly large installation.  Please back out the change or
provide an updated errata.
Comment 19 Daniel Walsh 2010-01-19 08:11:21 EST
*** Bug 556666 has been marked as a duplicate of this bug. ***
Comment 20 Troels Arvin 2010-01-21 03:35:06 EST
This _cannot_ wait until EL 5.5. I've just discovered a number of RHEL installations here which suddenly cannot send mails. This is a very nasty problem, and it needs an _urgent_ fix.
Comment 21 Miroslav Grepl 2010-01-21 06:57:21 EST
Yes, the problem was fixed in selinux-policy-2.4.6-255.el5_4.4. 

Look at #555793 bug.
Comment 22 Michael Arnold 2010-01-21 09:44:39 EST
Thank you for the quick errata turnaround.

Are there instructions for removing the workaround?
Comment 23 Miroslav Grepl 2010-01-21 11:05:41 EST
Execute:

# semodule -r mypostfix

It will remove mypostfix local module.
Comment 24 Miroslav Grepl 2010-01-22 10:49:56 EST
*** Bug 557783 has been marked as a duplicate of this bug. ***
Comment 26 Thiago Figueiro 2010-02-03 02:11:12 EST
I've applied erratum CLA-2010:0063 which supposedly fixes this bug bit I still received the error:


 mail tfigueiro@au.westfield.com -s 'TeamSite upgrade'
asd
.
Cc: 
send-mail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
send-mail: fatal: thiago(500): unable to execute /usr/sbin/postdrop -r: Success


I've installed the mypostfix workaround and it fixed the issue.
Comment 27 Miroslav Grepl 2010-02-04 06:43:39 EST
Thiago,

would it be possible to try to remove the mypostfix workaround and then execute

# sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket

and

# rpm -qa selinux-policy\*



What are your outputs?
Comment 28 Thiago Figueiro 2010-02-04 16:51:44 EST
Miroslav,

forget my comment#26.  Satellite and RPM played a dirty trick on me and I still had selinux-policy-2.4.6-255.el5_4.3:

# sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket

# rpm -qa selinux-policy\*
selinux-policy-2.4.6-255.el5_4.3
selinux-policy-targeted-2.4.6-255.el5_4.3
selinux-policy-devel-2.4.6-255.el5_4.3


I've updated (again!) to selinux-policy-2.4.6-255.el5_4.4 and it now works:

# sesearch --allow -s postfix_postdrop_t -t sendmail_t --class unix_stream_socket
Found 1 av rules:
   allow postfix_postdrop_t sendmail_t : unix_stream_socket { ioctl read write getattr }; 

# sendmail -f tfigueiro@au.westfield.com  tfigueiro@au.westfield.com

test
.
#

Thank you for your quick reply and apologies for wasting your time.

Thiago.
Comment 29 Miroslav Grepl 2010-02-04 17:07:06 EST
Ok, no problem.
Comment 30 rjcroasdale 2010-03-12 00:37:56 EST
this just happened to me in fedora when updated 

Mar 10 05:34:54 Updated: selinux-policy-3.3.1-135.fc9.noarch
Mar 10 05:35:17 Updated: selinux-policy-targeted-3.3.1-135.fc9.noarch

postfix cant send mail with selinux on;

trying to implement the fix but getting error;

make -f mypostfix.te
mypostfix.te:1: *** missing separator.  Stop.

bump: fedora please update so i can just do "yum update" this code stuff is baffling me! :0
Comment 31 rjcroasdale 2010-03-12 01:14:17 EST
oops;
[code]policy_module(mypostfix, 1.0)

gen_require(`
 type sendmail_t;
 type postfix_postdrop_t;
')

allow postfix_postdrop_t sendmail_t:unix_stream_socket { getattr read write
ioctl };[/code]

Installed:
  selinux-policy-devel.noarch 0:3.3.1-135.fc9

and now make works

make -f /usr/share/selinux/devel/Makefile
Compiling targeted mypostfix module
/usr/bin/checkmodule:  loading policy configuration from tmp/mypostfix.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 8) to tmp/mypostfix.mod
Creating targeted mypostfix.pp policy package
rm tmp/mypostfix.mod.fc tmp/mypostfix.mod


[root@HOSTNAME ~]# semodule -i mypostfix.pp
[root@HOSTNAME ~]#


but still have the problem on fedora, even after the above is done, postfix will not send mail with selinux on.


have these messages in maillog and message

Mar 12 06:03:52 HOSTNAME postfix/cleanup[7581]: fatal: open lock file pid/unix.cleanup: cannot open file: Permission denied
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: process /usr/libexec/postfix/cleanup pid 7581 exit status 1
Mar 12 06:03:53 HOSTNAME postfix/master[7523]: warning: /usr/libexec/postfix/cleanup: bad command startup -- throttling]


Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232533): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.566:232534): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232535): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.567:232536): avc:  denied  { connectto } for  pid=7581 comm="cleanup" path="/var/run/nscd/socket" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Mar 12 06:03:52 HOSTNAME kernel: type=1400 audit(1268373832.568:232537): avc:  denied  { read write } for  pid=7581 comm="cleanup" name="unix.cleanup" dev=sda1 ino=8306741 scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

hope this helps fix the bug in fedora
Comment 32 Daniel Walsh 2010-03-12 08:57:44 EST
Please update to a supported version Fedora 11, 12 or 13.  We do not support 9 any longer.
Comment 33 rjcroasdale 2010-03-12 14:48:42 EST
Hi Daniel,

I've installed the audit daemon (was previously just using the messages log)

Now have errors found in this bug, are these two bugs the same thing? If so do you need to mark them as a duplicate?

https://bugzilla.redhat.com/show_bug.cgi?id=448333


(avc:  denied  { write } for  pid=16292 comm="sendmail"
and connectto)

Regards,
Robert.
Comment 35 errata-xmlrpc 2010-03-30 03:50:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html
Comment 36 Miroslav Lichvar 2010-04-14 07:54:08 EDT
*** Bug 555349 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.