Postfix local user lookup selinux issue

asked 2017-11-09 14:48:57 -0600

trestlemonkey gravatar image

I have a F26 running postfix mailserver that has recently stopped delivering mail caught by the catch-all "luser_relay" system. Mail to valid users is ok, but to unknown users just ends up deferred instead of being delivered to the default user. The configuration of postfix hasn't changed, but this started happening after I upgraded from F25 to F26. Investigating it seems its an SELinux problem as if I set that to permissive mode then all is ok.

Here's the log output of postfix. We can see

Nov 9 20:26:58 londo postfix/local[10262]: warning: error looking up passwd info for test: Connection reset by peer Nov 9 20:26:58 londo postfix/local[10262]: 8C113BB8C43: to=<test@mydomain>, relay=local, delay=31, delays=0.49/0/0/30, dsn=4.0.0, status=deferred (user lookup error)

And here's the AVC:

type=USERAVC msg=audit(1510259188.582:75273): pid=840 uid=81 auid=4294967295 ses=4294967295 subj=systemu:systemr:systemdbusdt:s0-s0:c0.c1023 msg='avc: denied { sendmsg } for msgtype=methodcall interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=10262 scontext=systemu:systemr:postfixlocalt:s0 tcontext=systemu:systemr:systemdbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Any ideas?

Nothing special about Postfix config - just using luserrelay. "localrecipient_maps=" is empty.

edit retag flag offensive close merge delete

Comments

Are your selinux policy up-to-date? Current version is:

selinux-policy.noarch            3.13.1-260.14.fc26
selinux-policy-targeted.noarch   3.13.1-260.14.fc26
villykruse gravatar imagevillykruse ( 2017-11-09 23:24:37 -0600 )edit

Nearly:

selinux-policy-3.13.1-260.13.fc26.noarch
selinux-policy-targeted-3.13.1-260.13.fc26.noarch

I see that the .14 version is still in testing. I shall try it later, but in the meantime I captured all the AVCs and created a custom module as a workaround. Running them through audit2allow gave:

#============= init_t ==============
allow init_t postfix_local_t:dbus send_msg;

#============= postfix_local_t ==============
allow postfix_local_t init_t:dbus send_msg;
allow postfix_local_t system_dbusd_t:dbus send_msg;

Of course this is just a temporary fix.

trestlemonkey gravatar imagetrestlemonkey ( 2017-11-10 03:37:24 -0600 )edit

I thought it would be out of testing by now. Build date 24 Oct 2017.

audit2allow is the way to go.

villykruse gravatar imagevillykruse ( 2017-11-10 11:57:23 -0600 )edit