[DSE-Dev] Bug#1076049: selinux-policy-default: postfix fails to install with auto-configuration / postalias broken

Elija Goitke pxlkngdev at gmail.com
Tue Jul 9 22:50:58 BST 2024 

Package: selinux-policy-default
Version: 2:2.20240607-1
Severity: normal

Dear Maintainer,

postfix fails to install on a system with SELinux enabled and in enforcing
mode, if selecting a preset postfix configuration on install.
This is apparently due to postalias being broken/unusable with the default selinux-policy:

$ sudo apt install postfix
[...]
Running newaliases
/var/lib/dpkg/info/postfix.postinst: 43: newaliases: Permission denied
dpkg: error processing package postfix (--configure):
installed postfix package post-installation script subprocess returned error
exit status 126
Processing triggers for man-db (2.12.1-2) ...
Processing triggers for ufw (0.36.2-6) ...
Errors were encountered while processing:
postfix
Error: Sub-process /usr/bin/dpkg returned an error code (1)

$ sudo postalias
sudo: unable to execute /usr/sbin/postalias: Permission denied

$ sudo newaliases
postalias: fatal: open database /etc/aliases.db: Permission denied



It seems that some postfix-related file labels are not automatically assigned
properly.
It also appears that the mail user and various other policies for
postfix/postalias are lacking required permissions/configuration.

I am able to observe that the /etc/aliases.db file does not get any label
assigned upon creation automatically, which leads to it being labelled with
unconfined_u:object_r:etc_t instead of unconfined_u:object_r:etc_aliases_t.


All of this can be reproduced on both the latest Debian Bookworm or Debian
Unstable (tested with selinux-policy-default 2:2.20240607-1 [unstable] and 2:2.20221101-9 [bookworm]):
- Set up a clean install
- Set up SELinux (https://wiki.debian.org/SELinux/Setup)
- Put SELinux in enforcing mode
- Try to install the postfix package and select any option except "No
configuration" when prompted


The policy should be fixed, so that postfix can be installed without any errors
related to SELinux and postalias be used again.

Best regards.

More information about the SELinux-devel mailing list