429908 – mail-mta/postfix-2.9.3 with sec-policy/selinux-postfix-2.20120215-r15: Wrong labels (Binaries have been moved)

Bug 429908 - mail-mta/postfix-2.9.3 with sec-policy/selinux-postfix-2.20120215-r15: Wrong labels (Binaries have been moved)

Summary: mail-mta/postfix-2.9.3 with sec-policy/selinux-postfix-2.20120215-r15: Wrong ...

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r2
Keywords:

Depends on:
Blocks:

Reported:	2012-08-04 19:40 UTC by Vincent Brillault
Modified:	2012-10-04 18:33 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vincent Brillault 2012-08-04 19:40:46 UTC

The binaries of postfix have moved from /usr/lib to /usr/libexec. Their is no rule to label those files. As a result postfix won't work at all.



Reproducible: Always

Steps to Reproduce:
1. Install sec-policy/selinux-postfix-2.20120215-r15
2. Install mail-mta/postfix-2.9.3
3. Relabel your system, check the labels
4. (Optionnal) Try to run postfix
Actual Results:  
llaZ /usr/libexec/postfix
total 8.3M
236K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 236K 2012-08-04 15:04 anvil*
288K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 288K 2012-08-04 15:04 bounce*
408K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 406K 2012-08-04 15:04 cleanup*
260K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 260K 2012-08-04 15:04 discard*
240K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 240K 2012-08-04 15:04 dnsblog*
264K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 264K 2012-08-04 15:04 error*
244K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 244K 2012-08-04 15:04 flush*
456K -rwxr-xr-x. 2 root root system_u:object_r:bin_t 456K 2012-08-04 15:04 lmtp*
360K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 360K 2012-08-04 15:04 local*
 28K -rw-r--r--. 1 root root system_u:object_r:bin_t  26K 2012-08-04 15:04 main.cf
176K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 176K 2012-08-04 15:04 master*
8.0K -rw-r--r--. 1 root root system_u:object_r:bin_t 5.6K 2012-08-04 15:04 master.cf
324K -rwxr-xr-x. 2 root root system_u:object_r:bin_t 324K 2012-08-04 15:04 nqmgr*
316K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 316K 2012-08-04 15:04 oqmgr*
248K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 248K 2012-08-04 15:04 pickup*
300K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 300K 2012-08-04 15:04 pipe*
 20K -rw-r--r--. 1 root root system_u:object_r:bin_t  19K 2012-08-04 15:04 postfix-files
 12K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 8.1K 2012-08-04 15:04 postfix-script*
8.0K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 6.4K 2012-08-04 15:04 postfix-wrapper*
 28K -rwxr-xr-x. 1 root root system_u:object_r:bin_t  26K 2012-08-04 15:04 post-install*
 12K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 8.3K 2012-08-04 15:04 postmulti-script*
300K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 300K 2012-08-04 15:04 postscreen*
224K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 224K 2012-08-04 15:04 proxymap*
324K -rwxr-xr-x. 2 root root system_u:object_r:bin_t 324K 2012-08-04 15:04 qmgr*
268K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 268K 2012-08-04 15:04 qmqpd*
232K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 232K 2012-08-04 15:04 scache*
252K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 252K 2012-08-04 15:04 showq*
456K -rwxr-xr-x. 2 root root system_u:object_r:bin_t 456K 2012-08-04 15:04 smtp*
556K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 553K 2012-08-04 15:04 smtpd*
236K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 236K 2012-08-04 15:04 spawn*
256K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 256K 2012-08-04 15:04 tlsmgr*
292K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 292K 2012-08-04 15:04 tlsproxy*
256K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 256K 2012-08-04 15:04 trivial-rewrite*
252K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 252K 2012-08-04 15:04 verify*
292K -rwxr-xr-x. 1 root root system_u:object_r:bin_t 292K 2012-08-04 15:04 virtual*



Expected Results:  
llaZ /usr/libexec/postfix
total 8.3M
236K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         236K 2012-08-04 15:04 anvil*
288K -rwxr-xr-x. 1 root root system_u:object_r:postfix_bounce_exec_t  288K 2012-08-04 15:04 bounce*
408K -rwxr-xr-x. 1 root root system_u:object_r:postfix_cleanup_exec_t 406K 2012-08-04 15:04 cleanup*
260K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         260K 2012-08-04 15:04 discard*
240K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         240K 2012-08-04 15:04 dnsblog*
264K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         264K 2012-08-04 15:04 error*
244K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         244K 2012-08-04 15:04 flush*
456K -rwxr-xr-x. 2 root root system_u:object_r:postfix_smtp_exec_t    456K 2012-08-04 15:04 lmtp*
360K -rwxr-xr-x. 1 root root system_u:object_r:postfix_local_exec_t   360K 2012-08-04 15:04 local*
 28K -rw-r--r--. 1 root root system_u:object_r:postfix_exec_t          26K 2012-08-04 15:04 main.cf
176K -rwxr-xr-x. 1 root root system_u:object_r:postfix_master_exec_t  176K 2012-08-04 15:04 master*
8.0K -rw-r--r--. 1 root root system_u:object_r:postfix_exec_t         5.6K 2012-08-04 15:04 master.cf
324K -rwxr-xr-x. 2 root root system_u:object_r:postfix_qmgr_exec_t    324K 2012-08-04 15:04 nqmgr*
316K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         316K 2012-08-04 15:04 oqmgr*
248K -rwxr-xr-x. 1 root root system_u:object_r:postfix_pickup_exec_t  248K 2012-08-04 15:04 pickup*
300K -rwxr-xr-x. 1 root root system_u:object_r:postfix_pipe_exec_t    300K 2012-08-04 15:04 pipe*
 20K -rw-r--r--. 1 root root system_u:object_r:postfix_exec_t          19K 2012-08-04 15:04 postfix-files
 12K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         8.1K 2012-08-04 15:04 postfix-script*
8.0K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         6.4K 2012-08-04 15:04 postfix-wrapper*
 28K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t          26K 2012-08-04 15:04 post-install*
 12K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         8.3K 2012-08-04 15:04 postmulti-script*
300K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         300K 2012-08-04 15:04 postscreen*
224K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         224K 2012-08-04 15:04 proxymap*
324K -rwxr-xr-x. 2 root root system_u:object_r:postfix_qmgr_exec_t    324K 2012-08-04 15:04 qmgr*
268K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         268K 2012-08-04 15:04 qmqpd*
232K -rwxr-xr-x. 1 root root system_u:object_r:postfix_smtp_exec_t    232K 2012-08-04 15:04 scache*
252K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         252K 2012-08-04 15:04 showq*
456K -rwxr-xr-x. 2 root root system_u:object_r:postfix_smtp_exec_t    456K 2012-08-04 15:04 smtp*
556K -rwxr-xr-x. 1 root root system_u:object_r:postfix_smtpd_exec_t   553K 2012-08-04 15:04 smtpd*
236K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         236K 2012-08-04 15:04 spawn*
256K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         256K 2012-08-04 15:04 tlsmgr*
292K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         292K 2012-08-04 15:04 tlsproxy*
256K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         256K 2012-08-04 15:04 trivial-rewrite*
252K -rwxr-xr-x. 1 root root system_u:object_r:postfix_exec_t         252K 2012-08-04 15:04 verify*
292K -rwxr-xr-x. 1 root root system_u:object_r:postfix_virtual_exec_t 292K 2012-08-04 15:04 virtual*



If you try to launch postfix, the logs will contain errors such as:

Aug  4 21:22:10 *** postfix/pickup[12217]: warning: open input file maildrop/********: cannot open file: Permission denied
Aug  4 21:22:10 *** postfix/pickup[12217]: warning: if this file was created by Postfix < 1.1, then you may have to chmod a+r /var/spool/postfix/maildrop/********
Aug  4 21:22:10 *** postfix/pickup[12217]: warning: open input file maildrop/********: cannot open file: Permission denied
Aug  4 21:22:10 *** postfix/pickup[12217]: warning: if this file was created by Postfix < 1.1, then you may have to chmod a+r /var/spool/postfix/maildrop/********
Aug  4 21:22:10 *** postfix/pickup[12217]: warning: open input file maildrop/********: cannot open file: Permission denied
Aug  4 21:22:10 *** postfix/pickup[12217]: warning: if this file was created by Postfix < 1.1, then you may have to chmod a+r /var/spool/postfix/maildrop/********

Comment 1 Vincent Brillault 2012-08-05 15:57:13 UTC

I just checked the postfix.fc contained in both the current policy and the one in the overlay. There is a "ifdef(`distro_redhat'," that changes the rules in order to use the /usr/libexec instead of the /usr/lib.

What's strange is that this ifdef also introduces a new line:
/usr/libexec/postfix/showq --   gen_context(system_u:object_r:postfix_showq_exec_t,s0)

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-08-11 19:01:48 UTC

Will be in rev2

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-08-14 18:57:02 UTC

r2 is now in hardened-dev overlay

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-09-22 11:30:21 UTC

In main tree, ~arch'ed (rev 5)

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-10-04 18:33:42 UTC

stabilized