465448 – mail-mta/postfix-2.10.0 new default configuration and sec-policy/selinux-postfix-2.20120725-r12

Bug 465448 - mail-mta/postfix-2.10.0 new default configuration and sec-policy/selinux-postfix-2.20120725-r12

Summary: mail-mta/postfix-2.10.0 new default configuration and sec-policy/selinux-post...

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r1
Keywords:

Depends on:
Blocks:

Reported:	2013-04-10 21:33 UTC by Vincent Brillault
Modified:	2013-06-16 17:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2013-04-10 21:33:14 UTC

Postfix folks changed their default configuration in the last update, as explained in http://www.postfix.org/announcements/postfix-2.10.0.html:
''Laptop-friendly configuration. By default, Postfix now uses UNIX-domain sockets instead of FIFOs, and thus avoids MTIME file system updates on an idle mail system.''

It results in the following modification in the master.cf:
-pickup    fifo  n       -       n       60      1       pickup
+pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
-qmgr      fifo  n       -       n       300     1       qmgr
-#qmgr     fifo  n       -       n       300     1       oqmgr
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr

As a result, the corresponding fifo/socket changes, e.g:
before: /var/spool/postfix/public/pickup: fifo (named pipe)
after: /var/spool/postfix/public/pickup: socket

The current selinux module already contains the following rule:
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)

After the change, no mail seems to be dropped, but the following line appears in mail.warn on every mail sent locally:
Apr 10 16:35:05 lerya postfix/postdrop[10083]: warning: unable to look up public/pickup: Permission denied
Apr 10 16:35:06 lerya postfix/postdrop[10086]: warning: unable to look up public/pickup: Permission denied
Apr 10 16:41:14 lerya postfix/postdrop[10170]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:00:04 lerya postfix/postdrop[10409]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:00:09 lerya postfix/postdrop[10412]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:35:04 lerya postfix/postdrop[10846]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:35:09 lerya postfix/postdrop[10853]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:35:11 lerya postfix/postdrop[10849]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:45:05 lerya postfix/postdrop[11046]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:45:11 lerya postfix/postdrop[11054]: warning: unable to look up public/pickup: Permission denied
Apr 10 17:45:12 lerya postfix/postdrop[11049]: warning: unable to look up public/pickup: Permission denied

Adding the following rule (I didn't check for proper interfaces) removed those warnings: allow postfix_postdrop_t postfix_public_t:sock_file getattr;

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2013-04-11 16:22:17 UTC

Thanks, added in an rw_sock_files_pattern() call (which includes getattr). From the other domains (and the existing rw_fifo_files_pattern) I think that's better than only allowing getattr...

Is in repo, will be in rev 13

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2013-05-06 18:26:54 UTC

In main tree,  ~arch'ed (20130424-r1 release)

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2013-06-16 17:59:17 UTC

Now stable in repo