[DSE-Dev] Bug#781776: selinux-policy-default: postfix does not start when SELinux is set to enforcing

Thu Apr 2 20:40:47 UTC 2015

Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: normal

Dear Maintainer,

postfix does not start when SELinux is set to enforcing:

root at debian8gi:~# se_apt-get install postfix
[...]
root at debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root at debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix)
  Drop-In: /run/systemd/generator/postfix.service.d
           └─50-postfix-$mail-transport-agent.conf
   Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
  Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
  Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)

Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file pid/master.pid: cannot create file exclusively: Permission denied

The following AVC is logged:

type=AVC msg=audit(1427973050.472:88): avc:  denied  { net_admin } for  pid=2144 comm="systemd-tty-ask" capability=12  scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability permissive=0

It looks that the appropriate directory was not correctly labled by default:

root at debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr  2 13:07 /var/spool/postfix/pid/

root at debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0

root at debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr  2 13:07 /var/spool/postfix/pid/

Nevertheless: even after this adaption the process still not starts up:

root at debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root at debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
   Loaded: loaded (/etc/init.d/postfix)
  Drop-In: /run/systemd/generator/postfix.service.d
           └─50-postfix-$mail-transport-agent.conf
   Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
  Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
  Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)

Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent: postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup: Permission denied

The AVC:
type=AVC msg=audit(1427976832.296:134): avc:  denied  { create } for  pid=3568 comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0

Therefore it looks that a more general restorecon is needed:

root at debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_private_t:s0
restorecon reset /var/spool/postfix/saved context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/incoming context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/bounce context system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_bounce_t:s0

After this it is possible to start postfix.

Kind regards

Andre

-- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.8-3.1
ii  libselinux1      2.3-2
ii  libsepol1        2.3-2
ii  policycoreutils  2.3-1
ii  python           2.7.9-1
ii  selinux-utils    2.3-2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.3-1
ii  setools      3.3.8-3.1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information