View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0017246||CentOS-8||postfix||public||2020-04-13 07:39||2020-04-13 07:39|
|Target Version||Fixed in Version|
|Summary||0017246: Postfix does not create spool tree with correct SELinux types|
|Description||When postfix starts it checks to make sure all directories in /var/spool/postfix exist, and if not, it creates them. This is done with a script - `/usr/libexec/postfix/post-install`. This script calls mkdir and chmod and other common things.|
Unfortunately, mkdir does not appear to honour the SELinux file contexts, which means the post-install script fails to run if SELinux is Enforcing.
This was reported to RedHat in 2015, but marked Not A Bug - https://bugzilla.redhat.com/show_bug.cgi?id=1173895 - I don't think it was very well diagnosed which explains this. I'm not a RedHat customer so not sure if I am able to re-open that bug.
I have tested this on a fresh installed + updated CentOS 8.1
This issue first occurred for me when using postmulti to create multiple postfix instances which creates additional spool trees, however, occurs any time postfix needs to create a spool directory - i.e. if the default spool directory is removed for whatever reason. When creating a new instance with postmulti, we use an SELinux fcontext equivalency for the new spool tree to the standard postfix spool tree.
A temporary workaround for postmulti is to create the new instance as unconstrained (which creates the spool tree), then run `restorecon`.
For general postfix, you have to run `postfix create` as unconstrained, then `restorecon`.
I am not sure what a good solution is for a longer term workaround. Run restorecon after each mkdir/etc. in post-install? post-install only runs as unconstrained sometimes, so that might not be possible. Perhaps mkdir should run with --context - but annoying to have the contexts specified here... not sure.
|Steps To Reproduce||1. New system|
2. Install postfix
3. Run postfix - all runs OK
4. Delete postfix spool directory
5. Restart postfix - fails
6. Observe incorrect SELinux types on /var/spool/postfix/* - and as post-install didn't complete, the tree is not complete.
1. Run `postfix check` or `postmulti -e create ...`
2. Observe incorrect SELinux types on /var/spool/postfix/* - but a complete tree.
3. Run `restorecon`
4. Observe correct SELinux types, and postfix can now start
Logs of the above are attached.
|Tags||No tags attached.|