Bug 682856 - When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID
Summary: When using postsuper to requeue a message, wrong selinux context is applied t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-07 19:33 UTC by David Hill
Modified: 2013-01-08 03:31 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 03:31:02 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description David Hill 2011-03-07 19:33:09 UTC
Description of problem:
When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID.  restorecon will apply the proper context.  Looks like postsuper is moving the files or not applying the proper context.

Version-Release number of selected component (if applicable):
postfix 2.3.3

How reproducible:
Easily


Steps to Reproduce:
1. Have message queued/deferred for some reasons
2. postfix -r /var/spool/postfix/maildrop/$ID
3. watch /var/log/maillog
  
Actual results:
Messages stay in maildrop queue instead of being delivered/deleted 


Expected results:
Message should be delivered 


Additional info:
nope

Comment 1 Jan-Frode Myklebust 2011-03-13 11:40:31 UTC
FYI: I´m seeing this sam problem on RHEL6 (postfix-2.6.6-2.el6.x86_64, selinux-policy-3.7.19-54.el6_0.3.noarch). Deferred messages are labeled postfix_spool_t, and we get the denial:

avc:  denied  { getattr } for  pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file
avc:  denied  { getattr } for  pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file

Running restorecon on the file resets the label to postfix_spool_maildrop_t, and the pickup can pick up the message.


We´ve reported this as Red Hat support ticket 00432903.

Comment 2 Jan-Frode Myklebust 2011-03-13 11:46:15 UTC
BTW: we didn´t notice this from using postsuper to requeue, but when postfix automatically deferred messages because it couldn´t relay the message via lmtp to a content-filter (amavisd-new) which was temporaily down.

Comment 3 Jan-Frode Myklebust 2011-03-13 11:53:18 UTC
.. and a possible workaround might be to add "/var/spool/postfix/maildrop/*" to /etc/selinux/restorecond.conf and enable the restorecond service. I think I will do that while waiting for a proper fix.

Comment 4 Jaroslav Škarvada 2011-07-27 10:10:46 UTC
It seems to be the same problem as in Bug 719261, reassigning to selinux-policy.

Comment 5 Miroslav Grepl 2011-07-27 10:50:56 UTC
Yes, it looks so.

Comment 6 Daniel Walsh 2011-07-29 14:48:58 UTC
This is probably that defferred directory problem we saw in RHEL6.

Comment 7 David Hill 2011-07-29 15:20:18 UTC
The bug is not with the selinux policy... 

It seems to be with the way postsuper handles the files ...

Comment 8 Jaroslav Škarvada 2012-03-06 16:26:55 UTC
It seems as same problem as in RHEL-6 (bug 719261). Postfix uses mv, it is good for performance. I think it should be workarounded in selinux as was in RHEL-6, thus reassigning to selinux-policy.

Comment 9 RHEL Product and Program Management 2012-06-13 12:08:59 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 13 Miroslav Grepl 2012-07-30 07:21:37 UTC
Fixed in selinux-policy-2.4.6-330.el5

Comment 16 errata-xmlrpc 2013-01-08 03:31:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html


Note You need to log in before you can comment on or make changes to this bug.