When trying to use the "postqueue" command with the latest SELinux policy results in the following errors (blocking the execution): zsh: permission denied: /usr/sbin/postqueue avc: denied { execute } for pid=9300 comm="zsh" name="postqueue" dev="sda1" ino=579951 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:postfix_postqueue_exec_t tclass=file Reproducible: Always Steps to Reproduce: 1. Install postfix with its SELinux policy on a SELinux aware gentoo 2. Launch postfix daemon in enforcing mode 3. Run /usr/sbin/postqueue -p while in sysadm role Actual Results: zsh: permission denied: /usr/sbin/postqueue avc: denied { execute } for pid=9325 comm="zsh" name="postqueue" dev="sda1" ino=579951 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:postfix_postqueue_exec_t tclass=file Expected Results: -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- .... (list of ids) ... -- .... Kbytes in ... Requests.
Will be in rev2
r2 is now in hardened-dev overlay
Great ! I've just test the 'postqueue' command and it seems to work (I've tested the basic commands of postqueue, with no errors so far). There is still one little problem: Postqueue have a failback mechanism if it is run when postfix is down. It directly access the files to obtain information on the messages. It's a less important feature so I don't know if we really want to support it. Examples: *Postfix up: #postqueue -p -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- ..... -- 2 Kbytes in 1 Request. *Postfix down, enforce: #postqueue -p postqueue: warning: Mail system is down -- accessing queue directly postqueue: fatal: execv /usr/libexec/postfix/showq: Permission denied *postfix down, permissive: postqueue -p postqueue: warning: Mail system is down -- accessing queue directly -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- ... -- 2 Kbytes in 1 Request. I can reproduce it with more information (avcs) if you need.
I haven't done a thorough investigation of all features, just ran "postqueue -p" to see if I can reproduce (which was indeed the case) and then added in a "can_exec(sysadm_t, postfix_showq_exec_t)" and I didn't get an error anymore. However, I don't have much postfix experience - is this fallback only to view the queue, or should other operations also work?
Ok, can_exec added to repo and will be in r7
r7 is now in hardened-dev
Sorry for the late answer. I'm not an expert on postfix but I think that in offline mode, you can theoretically call postqueue or postsuper on non-SELinux system. Nevertheless, for me, listing with postqueue is enough (Last time I tried to use postsuper without postfix running (without SELinux), it didn't work well). In sysadm.te (in r7) there are only the following rules: optional_policy(` postfix_exec_master(sysadm_t) postfix_exec_postqueue(sysadm_t) postfix_stream_connect_master(sysadm_t) ') Shouldn't the can_exec(sysadm_t, postfix_showq_exec_t) be added here (or those rules replaced by postfix_admin(sysadm_t,sysadm_r)) ?
I added it in the postfix_admin() interface, as it seems logical that only those domains with postfix_admin() rights should be able to do this.
In main tree, ~arch'ed
r8 is now stable