View Issue Details

IDProjectCategoryView StatusLast Update
0017246CentOS-8postfixpublic2020-04-13 07:39
Status newResolutionopen 
Product Version8.1.1911 
Target VersionFixed in Version 
Summary0017246: Postfix does not create spool tree with correct SELinux types
DescriptionWhen postfix starts it checks to make sure all directories in /var/spool/postfix exist, and if not, it creates them. This is done with a script - `/usr/libexec/postfix/post-install`. This script calls mkdir and chmod and other common things.

Unfortunately, mkdir does not appear to honour the SELinux file contexts, which means the post-install script fails to run if SELinux is Enforcing.

This was reported to RedHat in 2015, but marked Not A Bug - - I don't think it was very well diagnosed which explains this. I'm not a RedHat customer so not sure if I am able to re-open that bug.

I have tested this on a fresh installed + updated CentOS 8.1

This issue first occurred for me when using postmulti to create multiple postfix instances which creates additional spool trees, however, occurs any time postfix needs to create a spool directory - i.e. if the default spool directory is removed for whatever reason. When creating a new instance with postmulti, we use an SELinux fcontext equivalency for the new spool tree to the standard postfix spool tree.

A temporary workaround for postmulti is to create the new instance as unconstrained (which creates the spool tree), then run `restorecon`.
For general postfix, you have to run `postfix create` as unconstrained, then `restorecon`.

I am not sure what a good solution is for a longer term workaround. Run restorecon after each mkdir/etc. in post-install? post-install only runs as unconstrained sometimes, so that might not be possible. Perhaps mkdir should run with --context - but annoying to have the contexts specified here... not sure.
Steps To Reproduce1. New system
2. Install postfix
3. Run postfix - all runs OK
4. Delete postfix spool directory
5. Restart postfix - fails
6. Observe incorrect SELinux types on /var/spool/postfix/* - and as post-install didn't complete, the tree is not complete.

1. Run `postfix check` or `postmulti -e create ...`
2. Observe incorrect SELinux types on /var/spool/postfix/* - but a complete tree.
3. Run `restorecon`
4. Observe correct SELinux types, and postfix can now start

Logs of the above are attached.
TagsNo tags attached.


Issue History

Date Modified Username Field Change
2020-04-13 07:39 nward New Issue
2020-04-13 07:39 nward File Added: postfix selinux create spool - problem.log
2020-04-13 07:39 nward File Added: postfix selinux create spool - workaround.log