Upon receiving new mails, postfix tries to verify the destination and crash as the smtpd process seems to have no access to /etc/mail/aliases Reproducible: Didn't try Steps to Reproduce: I'm not sure on how to reproduce, probably different options have an impact. Here is my best guesses 1. Install postfix with latest policies, relabel the system 2. Add hash:/etc/mail/aliases to alias_maps and alias_database 3. Use restrictions on smtpd_recipient_restrictions. Mine contains : smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain 4. Try to receive mails Actual Results: mail.log: Aug 15 00:50:44 ..... postfix/smtpd[14499]: error: open database /etc/mail/aliases.db: Permission denied Aug 15 00:50:44 ..... postfix/smtpd[14499]: connect from ....[....] Aug 15 00:50:44 ..... postfix/smtpd[14499]: Anonymous TLS connection established from ....[....]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) Aug 15 00:50:44 ..... postfix/smtpd[14499]: warning: hash:/etc/mail/aliases is unavailable. open database /etc/mail/aliases.db: Permission denied Aug 15 00:50:44 ..... postfix/smtpd[14499]: warning: hash:/etc/mail/aliases lookup error for "....." Aug 15 00:50:44 ..... postfix/smtpd[14499]: NOQUEUE: reject: RCPT from .....[.....]: 451 4.3.0 <...>: Temporary lookup failure; ... Aug 15 00:50:44 lerya postfix/smtpd[14499]: disconnect from ....[...] kern.log: Aug 15 00:50:44 .... kernel: [312389.144926] type=1400 audit(1344984644.589:1038): avc: denied { search } for pid=14499 comm="smtpd" name="mail" dev="sda1" ino=423803 ipaddr=..... scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:etc_mail_t tclass=dir I fixed this by adding mta_read_config(postfix_smtpd_t) to my rules
Make sure that /etc/mail/aliases.db is labeled correctly (etc_aliases_t, not etc_mail_t). If it is labeled incorrectly, how did you generate the file?
I verified the labels: system_u:object_r:etc_aliases_t for /etc/mail/aliases and /etc/mail/aliases.db system_u:object_r:etc_mail_t for the /etc/mail folder I think that the problem is that smtpd cannot go through /etc/mail.
08:23 < Feandil> ok, I re-checked: doesn't work if I remove the fix I introduced last night (mta_read_config(postfix_smtpd_t)), works if I add search_dirs_pattern(postfix_smtpd_t, etc_mail_t, etc_mail_t)
Ok I'm updating the mta_*_aliases interfaces to support searching through the etc_mail_t directories. There already is mta_read_aliases(postfix_smtpd_t) so that should be sufficient. Will be in rev3
r3 is in hardened-dev overlay
In main tree, ~arch'ed (rev 5)
stabilized