Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 431448

Summary: mail-mta/postfix-2.9.3 with 2.20120725-r2 policies: smtpd error: open database /etc/mail/aliases.db: Permission denied
Product: Gentoo Linux Reporter: Vincent Brillault <gentoo>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard: sec-policy r3
Package list:
Runtime testing required: ---

Description Vincent Brillault 2012-08-14 23:34:12 UTC 
Upon receiving new mails, postfix tries to verify the destination and crash as the smtpd process seems to have no access to /etc/mail/aliases


Reproducible: Didn't try

Steps to Reproduce:
I'm not sure on how to reproduce, probably different options have an impact. Here is my best guesses
1. Install postfix with latest policies, relabel the system
2. Add hash:/etc/mail/aliases to alias_maps and alias_database
3. Use restrictions on smtpd_recipient_restrictions. Mine contains :
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_recipient, reject_unknown_recipient_domain
4. Try to receive mails

Actual Results:  
mail.log:
Aug 15 00:50:44 ..... postfix/smtpd[14499]: error: open database /etc/mail/aliases.db: Permission denied
Aug 15 00:50:44 ..... postfix/smtpd[14499]: connect from ....[....]
Aug 15 00:50:44 ..... postfix/smtpd[14499]: Anonymous TLS connection established from ....[....]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Aug 15 00:50:44 ..... postfix/smtpd[14499]: warning: hash:/etc/mail/aliases is unavailable. open database /etc/mail/aliases.db: Permission denied
Aug 15 00:50:44 ..... postfix/smtpd[14499]: warning: hash:/etc/mail/aliases lookup error for "....."
Aug 15 00:50:44 ..... postfix/smtpd[14499]: NOQUEUE: reject: RCPT from .....[.....]: 451 4.3.0 <...>: Temporary lookup failure; ...
Aug 15 00:50:44 lerya postfix/smtpd[14499]: disconnect from ....[...]

kern.log:
Aug 15 00:50:44 .... kernel: [312389.144926] type=1400 audit(1344984644.589:1038): avc:  denied  { search } for  pid=14499 comm="smtpd" name="mail" dev="sda1" ino=423803 ipaddr=..... scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:etc_mail_t tclass=dir



I fixed this by adding mta_read_config(postfix_smtpd_t) to my rules
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-15 06:52:47 UTC 
Make sure that /etc/mail/aliases.db is labeled correctly (etc_aliases_t, not etc_mail_t). If it is labeled incorrectly, how did you generate the file?
Comment 2 Vincent Brillault 2012-08-15 08:08:46 UTC 
I verified the labels:
system_u:object_r:etc_aliases_t for /etc/mail/aliases and /etc/mail/aliases.db
system_u:object_r:etc_mail_t for the /etc/mail folder

I think that the problem is that smtpd cannot go through /etc/mail.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-15 08:24:54 UTC 
08:23 < Feandil> ok, I re-checked: doesn't work if I remove the fix I introduced last night (mta_read_config(postfix_smtpd_t)), works if I add search_dirs_pattern(postfix_smtpd_t, etc_mail_t, etc_mail_t)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-15 13:35:24 UTC 
Ok I'm updating the mta_*_aliases interfaces to support searching through the etc_mail_t directories. There already is mta_read_aliases(postfix_smtpd_t) so that should be sufficient.

Will be in rev3
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-08-16 14:11:59 UTC 
r3 is in hardened-dev overlay
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-09-22 11:31:30 UTC 
In main tree, ~arch'ed (rev 5)
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-04 18:35:41 UTC 
stabilized