Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-35544

selinux denies postfix/smtpd to map /etc/aliases.lmdb

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.0.beta
    • rhel-10.0
    • selinux-policy
    • None
    • sst_security_selinux
    • ssg_security
    • 13
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Pass
    • Unspecified Release Note Type - Unknown

      What were you trying to do that didn't work?

      CI test that is working on RHEL9 and Rawhide doesn't work on RHEL10

      Seems to be related to/fixed by Fedora BZs:

      Bug 2242898 - Please add support for the /etc/aliases.lmdb
      Bug 2247848 - SELinux preventing Postfix from mapping LMDB databases

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13-1.el10.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. git clone https://src.fedoraproject.org/tests/cyrus-imapd.git
      2. cd cyrus-imapd/Sanity/basic
      3. 1minutetip rhel10
        or:
      4. tmt run -avvv execute --how tmt --interactive test --name . provision --how minute --image rhel10

      Expected results

      No failure

      Actual results

      May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 audit: PROCTITLE proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D730032
May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 postfix/smtpd[12779]: error: open database /etc/aliases.lmdb: Permission denied
May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 postfix/smtpd[12779]: connect from localhost[::1]
May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 postfix/smtpd[12779]: warning: lmdb:/etc/aliases is unavailable. open database /etc/aliases.lmdb: Permission denied
May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 postfix/smtpd[12779]: warning: lmdb:/etc/aliases lookup error for "root@localhost"
May 06 05:04:22 prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27 postfix/smtpd[12779]: NOQUEUE: reject: RCPT from localhost[::1]: 451 4.3.0 <root@localhost>: Temporary lookup failure; from=<cyrus@prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27> to=<root@localhost> proto=ESMTP helo=<prereserve-1mt-rhel-10.0-20240423.83-10344-2024-05-06-08-27>

      # ausearch -c smtpd
----
time->Mon May  6 04:35:06 2024
type=PROCTITLE msg=audit(1714984506.705:568): proctitle=736D747064002D6E00736D7470002D7400696E6574002D75002D730032
type=SYSCALL msg=audit(1714984506.705:568): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=6743 pid=7881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null)
type=AVC msg=audit(1714984506.705:568): avc:  denied  { map } for  pid=7881 comm="smtpd" path="/etc/aliases.lmdb" dev="vda2" ino=2172519 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=0
#

      # grep denied audit.log | audit2allow 


#============= postfix_smtpd_t ==============

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow postfix_smtpd_t etc_aliases_t:file map;
#

            rhn-support-zpytela Zdenek Pytela
            rhn-support-mosvald Martin Osvald
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: