Bug 682856 - When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID
When using postsuper to requeue a message, wrong selinux context is applied t...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-07 14:33 EST by David Hill
Modified: 2013-01-07 22:31 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:31:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2011-03-07 14:33:09 EST
Description of problem:
When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID.  restorecon will apply the proper context.  Looks like postsuper is moving the files or not applying the proper context.

Version-Release number of selected component (if applicable):
postfix 2.3.3

How reproducible:
Easily


Steps to Reproduce:
1. Have message queued/deferred for some reasons
2. postfix -r /var/spool/postfix/maildrop/$ID
3. watch /var/log/maillog
  
Actual results:
Messages stay in maildrop queue instead of being delivered/deleted 


Expected results:
Message should be delivered 


Additional info:
nope
Comment 1 Jan-Frode Myklebust 2011-03-13 07:40:31 EDT
FYI: I´m seeing this sam problem on RHEL6 (postfix-2.6.6-2.el6.x86_64, selinux-policy-3.7.19-54.el6_0.3.noarch). Deferred messages are labeled postfix_spool_t, and we get the denial:

avc:  denied  { getattr } for  pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
avc:  denied  { getattr } for  pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file

Running restorecon on the file resets the label to postfix_spool_maildrop_t, and the pickup can pick up the message.


We´ve reported this as Red Hat support ticket 00432903.
Comment 2 Jan-Frode Myklebust 2011-03-13 07:46:15 EDT
BTW: we didn´t notice this from using postsuper to requeue, but when postfix automatically deferred messages because it couldn´t relay the message via lmtp to a content-filter (amavisd-new) which was temporaily down.
Comment 3 Jan-Frode Myklebust 2011-03-13 07:53:18 EDT
.. and a possible workaround might be to add "/var/spool/postfix/maildrop/*" to /etc/selinux/restorecond.conf and enable the restorecond service. I think I will do that while waiting for a proper fix.
Comment 4 Jaroslav Škarvada 2011-07-27 06:10:46 EDT
It seems to be the same problem as in Bug 719261, reassigning to selinux-policy.
Comment 5 Miroslav Grepl 2011-07-27 06:50:56 EDT
Yes, it looks so.
Comment 6 Daniel Walsh 2011-07-29 10:48:58 EDT
This is probably that defferred directory problem we saw in RHEL6.
Comment 7 David Hill 2011-07-29 11:20:18 EDT
The bug is not with the selinux policy... 

It seems to be with the way postsuper handles the files ...
Comment 8 Jaroslav Škarvada 2012-03-06 11:26:55 EST
It seems as same problem as in RHEL-6 (bug 719261). Postfix uses mv, it is good for performance. I think it should be workarounded in selinux as was in RHEL-6, thus reassigning to selinux-policy.
Comment 9 RHEL Product and Program Management 2012-06-13 08:08:59 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 13 Miroslav Grepl 2012-07-30 03:21:37 EDT
Fixed in selinux-policy-2.4.6-330.el5
Comment 16 errata-xmlrpc 2013-01-07 22:31:02 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.