View Issue Details

IDProjectCategoryView StatusLast Update
0017246CentOS-8postfixpublic2020-04-13 07:39
Reporternward Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version8.1.1911 
Summary0017246: Postfix does not create spool tree with correct SELinux types
DescriptionWhen postfix starts it checks to make sure all directories in /var/spool/postfix exist, and if not, it creates them. This is done with a script - `/usr/libexec/postfix/post-install`. This script calls mkdir and chmod and other common things.

Unfortunately, mkdir does not appear to honour the SELinux file contexts, which means the post-install script fails to run if SELinux is Enforcing.

This was reported to RedHat in 2015, but marked Not A Bug - https://bugzilla.redhat.com/show_bug.cgi?id=1173895 - I don't think it was very well diagnosed which explains this. I'm not a RedHat customer so not sure if I am able to re-open that bug.

I have tested this on a fresh installed + updated CentOS 8.1

This issue first occurred for me when using postmulti to create multiple postfix instances which creates additional spool trees, however, occurs any time postfix needs to create a spool directory - i.e. if the default spool directory is removed for whatever reason. When creating a new instance with postmulti, we use an SELinux fcontext equivalency for the new spool tree to the standard postfix spool tree.

A temporary workaround for postmulti is to create the new instance as unconstrained (which creates the spool tree), then run `restorecon`.
For general postfix, you have to run `postfix create` as unconstrained, then `restorecon`.

I am not sure what a good solution is for a longer term workaround. Run restorecon after each mkdir/etc. in post-install? post-install only runs as unconstrained sometimes, so that might not be possible. Perhaps mkdir should run with --context - but annoying to have the contexts specified here... not sure.
Steps To Reproduce1. New system
2. Install postfix
3. Run postfix - all runs OK
4. Delete postfix spool directory
5. Restart postfix - fails
6. Observe incorrect SELinux types on /var/spool/postfix/* - and as post-install didn't complete, the tree is not complete.

Workaround:
1. Run `postfix check` or `postmulti -e create ...`
2. Observe incorrect SELinux types on /var/spool/postfix/* - but a complete tree.
3. Run `restorecon`
4. Observe correct SELinux types, and postfix can now start

Logs of the above are attached.
TagsNo tags attached.

Activities

nward

nward

2020-04-13 07:39

reporter  

postfix selinux create spool - problem.log (5,203 bytes)   
[nward@centos8-1 ~]$ sudo yum install postfix
<blah>
[nward@centos8-1 ~]$ sudo systemctl restart postfix
[nward@centos8-1 ~]$ sudo ls -laZ /var/spool/postfix/
total 0
drwxr-xr-x. 16 root    root     system_u:object_r:postfix_spool_t:s0        201 Apr 13 07:18 .
drwxr-xr-x.  9 root    root     system_u:object_r:var_spool_t:s0            102 Apr 13 07:18 ..
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 active
drwx------.  2 postfix root     system_u:object_r:postfix_spool_bounce_t:s0   6 Nov  8 22:16 bounce
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 corrupt
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 defer
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 deferred
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 flush
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 hold
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 incoming
drwx-wx---.  2 postfix postdrop system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 maildrop
drwxr-xr-x.  2 root    root     system_u:object_r:var_run_t:s0               24 Apr 13 07:19 pid
drwx------.  2 postfix root     system_u:object_r:postfix_private_t:s0      256 Apr 13 07:19 private
drwx--x---.  2 postfix postdrop system_u:object_r:postfix_public_t:s0        73 Apr 13 07:19 public
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 saved
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Nov  8 22:16 trace
[nward@centos8-1 ~]$ sudo rm -r /var/spool/postfix/*
[nward@centos8-1 ~]$ sudo systemctl restart postfix
Job for postfix.service failed because the control process exited with error code.
See "systemctl status postfix.service" and "journalctl -xe" for details.
[nward@centos8-1 ~]$ sudo ls -laZ /var/spool/postfix/
total 0
drwxr-xr-x. 11 root    root system_u:object_r:postfix_spool_t:s0 134 Apr 13 07:19 .
drwxr-xr-x.  9 root    root system_u:object_r:var_spool_t:s0     102 Apr 13 07:18 ..
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 active
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 bounce
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 corrupt
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 defer
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 deferred
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 flush
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 hold
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 incoming
drwxr-xr-x.  2 postfix root system_u:object_r:postfix_spool_t:s0   6 Apr 13 07:19 private
[nward@centos8-1 ~]$ sudo grep denied /var/log/audit/audit.log
type=AVC msg=audit(1586762370.220:231): avc:  denied  { fowner } for  pid=15206 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.222:232): avc:  denied  { fowner } for  pid=15210 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.225:233): avc:  denied  { fowner } for  pid=15214 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.227:234): avc:  denied  { fowner } for  pid=15218 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.230:235): avc:  denied  { fowner } for  pid=15222 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.232:236): avc:  denied  { fowner } for  pid=15226 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.234:237): avc:  denied  { fowner } for  pid=15230 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.239:238): avc:  denied  { fowner } for  pid=15234 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1586762370.242:239): avc:  denied  { fowner } for  pid=15237 comm="chmod" capability=3  scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability permissive=0
postfix selinux create spool - workaround.log (5,121 bytes)   
[nward@centos8-1 ~]$ sudo rm -r /var/spool/postfix/*
[nward@centos8-1 ~]$ sudo postfix check
[nward@centos8-1 ~]$ sudo ls -laZ /var/spool/postfix/
total 0
drwxr-xr-x. 16 root    root     system_u:object_r:postfix_spool_t:s0     201 Apr 13 07:33 .
drwxr-xr-x.  9 root    root     system_u:object_r:var_spool_t:s0         102 Apr 13 07:18 ..
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 active
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 bounce
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 corrupt
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 defer
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 deferred
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 flush
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 hold
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 incoming
drwx-wx---.  2 postfix postdrop unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 maildrop
drwxr-xr-x.  2 root    root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 pid
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 private
drwx--x---.  2 postfix postdrop unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 public
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 saved
drwx------.  2 postfix root     unconfined_u:object_r:postfix_spool_t:s0   6 Apr 13 07:33 trace
[nward@centos8-1 ~]$ sudo restorecon -RFv /var/spool/postfix
Relabeled /var/spool/postfix/active from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/bounce from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_bounce_t:s0
Relabeled /var/spool/postfix/corrupt from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/defer from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/deferred from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/flush from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/hold from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/incoming from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/private from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_private_t:s0
Relabeled /var/spool/postfix/maildrop from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/public from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_public_t:s0
Relabeled /var/spool/postfix/pid from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:var_run_t:s0
Relabeled /var/spool/postfix/saved from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
Relabeled /var/spool/postfix/trace from unconfined_u:object_r:postfix_spool_t:s0 to system_u:object_r:postfix_spool_t:s0
[nward@centos8-1 ~]$ sudo ls -laZ /var/spool/postfix/
total 0
drwxr-xr-x. 16 root    root     system_u:object_r:postfix_spool_t:s0        201 Apr 13 07:33 .
drwxr-xr-x.  9 root    root     system_u:object_r:var_spool_t:s0            102 Apr 13 07:18 ..
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 active
drwx------.  2 postfix root     system_u:object_r:postfix_spool_bounce_t:s0   6 Apr 13 07:33 bounce
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 corrupt
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 defer
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 deferred
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 flush
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 hold
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 incoming
drwx-wx---.  2 postfix postdrop system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 maildrop
drwxr-xr-x.  2 root    root     system_u:object_r:var_run_t:s0                6 Apr 13 07:33 pid
drwx------.  2 postfix root     system_u:object_r:postfix_private_t:s0        6 Apr 13 07:33 private
drwx--x---.  2 postfix postdrop system_u:object_r:postfix_public_t:s0         6 Apr 13 07:33 public
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 saved
drwx------.  2 postfix root     system_u:object_r:postfix_spool_t:s0          6 Apr 13 07:33 trace

Issue History

Date Modified Username Field Change
2020-04-13 07:39 nward New Issue
2020-04-13 07:39 nward File Added: postfix selinux create spool - problem.log
2020-04-13 07:39 nward File Added: postfix selinux create spool - workaround.log