Description of problem: When using postsuper to requeue a message, wrong selinux context is applied to /var/spool/postfix/maildrop/$ID. restorecon will apply the proper context. Looks like postsuper is moving the files or not applying the proper context. Version-Release number of selected component (if applicable): postfix 2.3.3 How reproducible: Easily Steps to Reproduce: 1. Have message queued/deferred for some reasons 2. postfix -r /var/spool/postfix/maildrop/$ID 3. watch /var/log/maillog Actual results: Messages stay in maildrop queue instead of being delivered/deleted Expected results: Message should be delivered Additional info: nope
FYI: I´m seeing this sam problem on RHEL6 (postfix-2.6.6-2.el6.x86_64, selinux-policy-3.7.19-54.el6_0.3.noarch). Deferred messages are labeled postfix_spool_t, and we get the denial: avc: denied { getattr } for pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file avc: denied { getattr } for pid=1249 comm="pickup" path="/var/spool/postfix/maildrop/1C44213E0" dev=dm-2 ino=5088 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=file Running restorecon on the file resets the label to postfix_spool_maildrop_t, and the pickup can pick up the message. We´ve reported this as Red Hat support ticket 00432903.
BTW: we didn´t notice this from using postsuper to requeue, but when postfix automatically deferred messages because it couldn´t relay the message via lmtp to a content-filter (amavisd-new) which was temporaily down.
.. and a possible workaround might be to add "/var/spool/postfix/maildrop/*" to /etc/selinux/restorecond.conf and enable the restorecond service. I think I will do that while waiting for a proper fix.
It seems to be the same problem as in Bug 719261, reassigning to selinux-policy.
Yes, it looks so.
This is probably that defferred directory problem we saw in RHEL6.
The bug is not with the selinux policy... It seems to be with the way postsuper handles the files ...
It seems as same problem as in RHEL-6 (bug 719261). Postfix uses mv, it is good for performance. I think it should be workarounded in selinux as was in RHEL-6, thus reassigning to selinux-policy.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Fixed in selinux-policy-2.4.6-330.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html