Your message dated Thu, 18 Jul 2024 23:34:22 +0000
with message-id <[email protected]>
and subject line Bug#781776: fixed in postfix 3.9.0-3
has caused the Debian Bug report #781776,
regarding selinux-policy-default: postfix does not start when SELinux is set to
enforcing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
781776: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781776
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: normal
Dear Maintainer,
postfix does not start when SELinux is set to enforcing:
root@debian8gi:~# se_apt-get install postfix
[...]
root@debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited,
status=0/SUCCESS)
Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited,
status=0/SUCCESS)
Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent:
postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file
pid/master.pid: cannot create file exclusively: Permission denied
The following AVC is logged:
type=AVC msg=audit(1427973050.472:88): avc: denied { net_admin } for
pid=2144 comm="systemd-tty-ask" capability=12
scontext=system_u:system_r:systemd_passwd_agent_t:s0
tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability
permissive=0
It looks that the appropriate directory was not correctly labled by default:
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr 2
13:07 /var/spool/postfix/pid/
root@debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context
system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr 2 13:07
/var/spool/postfix/pid/
Nevertheless: even after this adaption the process still not starts up:
root@debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited,
status=0/SUCCESS)
Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited,
status=0/SUCCESS)
Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent:
postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup:
Permission denied
The AVC:
type=AVC msg=audit(1427976832.296:134): avc: denied { create } for pid=3568
comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0
Therefore it looks that a more general restorecon is needed:
root@debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_private_t:s0
restorecon reset /var/spool/postfix/saved context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/incoming context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/bounce context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_bounce_t:s0
After this it is possible to start postfix.
Kind regards
Andre
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: postfix
Source-Version: 3.9.0-3
Done: Scott Kitterman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
postfix, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <[email protected]> (supplier of updated postfix package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jul 2024 17:06:30 -0400
Source: postfix
Architecture: source
Version: 3.9.0-3
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <[email protected]>
Changed-By: Scott Kitterman <[email protected]>
Closes: 781776
Changes:
postfix (3.9.0-3) unstable; urgency=medium
.
* Replace hard coding of config path for Cyrus SASL in
d/p/07_sasl_config.diff with setting the Debian location via
cyrus_sasl_config_path.
* Update creation of /var/spool/postfix in preinst to include -Z option so
that SE Linux security context is properly applied when SE Linux is
actived. Closes: #781776
* Bump standards-version to 4.7.0 without further change.
* Use raw strings in d/tests/testlib.py to fix SyntaxWarnings with Python
3.12.
Checksums-Sha1:
fe7a4719496da420338455d65b4ab3304f88756a 3101 postfix_3.9.0-3.dsc
7c0e83a4434ed0bdff84b58f646e94a84a10df5d 4953133 postfix_3.9.0.orig.tar.gz
42a248bc30ba0f500c455b80edd103f952cea0a4 220 postfix_3.9.0.orig.tar.gz.asc
384070eb0ffd2824911c97e63eb3d38c493901f9 198752 postfix_3.9.0-3.debian.tar.xz
81f03ed571b7997903b42faeacec0ba3e9c7a4c6 7303 postfix_3.9.0-3_source.buildinfo
Checksums-Sha256:
bdde089912d00ff711f7eee4015ee1c3a38e9de70e3075a6d6d70d8c033b2e7c 3101
postfix_3.9.0-3.dsc
56f5e420e7c25455a4e96c19b672f80f9a0a35fb5becc9247c9e3d5dcc617f34 4953133
postfix_3.9.0.orig.tar.gz
c1358424395efa2c51f91d8bd64df85393a921c610a9c13be98625b7ef71c2a0 220
postfix_3.9.0.orig.tar.gz.asc
6089a26c69dbb7649edf24a34ab6bc7ef5c92002523423d96c71a74b09198d9f 198752
postfix_3.9.0-3.debian.tar.xz
07de84be7cb966db692b290a1121aca3467131a838240a8b9d4248828fb8774d 7303
postfix_3.9.0-3_source.buildinfo
Files:
707f4e3c53b668c22a385d7fe1063892 3101 mail optional postfix_3.9.0-3.dsc
3eda9b945ed6cdf11ef58a731c574a04 4953133 mail optional
postfix_3.9.0.orig.tar.gz
38dcbd73b9ffb3d825c3c2602de7a2da 220 mail optional
postfix_3.9.0.orig.tar.gz.asc
bb80cca2c69426a2aacbdbf45404aa15 198752 mail optional
postfix_3.9.0-3.debian.tar.xz
2095e13c3c5d1f8014e9a71894f78c60 7303 mail optional
postfix_3.9.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmaZoDcACgkQeNfe+5rV
mvFLuQ//XH0tnvYLGxCzr+5yzQujAuw+UbknpM9IXaKRyQlxf9wNUGijjs/IabLj
t1a4igTuZx0LlRpBJC2q5HtYRGAx+l3H0tW6u9hKYOxjECq/U0yVnWnhx/ZJhTV5
uDJRbSId1nWb6u0Q4DL7np8891J3clnVyj30gaRDcT/2DZ2GxEYnWtXUwG8eF2BX
ngVHi/jvPS73ROvWj1H+9QKUmO/2q0lt06uo+ifX+S8rYy2LIBhGiLp2HxVqIi0+
LeEVo/ucrhyzkO2EXD44J7pipoXgFwVjxmgs/JUgdDhOpdcA0wEwcfb7+YT8X7Gl
HJJ12OMHAhiMle/0HyTQt4vTYI4ldaLi0SIdqQTPvKrpRYAV7H6FKCq85B4hjrts
j9zTb8OoCoGFAROcHauvC3s2i2dkf4Yin0oqiV5ep7yXHrjVI65BYey6UIuVs1wK
xXffADwGQ2F0LyH4K2ZpLtAK/RTkvf/ifbnrhJDje/pI8KfIQIM2EVUFIt6braUw
5NOlDN6/arlhfI0Gt3J/UBCQwZMESlFavMuoWMUVm+27+LRvIdsv7QIfw7CbunPC
9J0MigrLODqZOLjEnGfGy9G/MfMsok1xYWJZnIRT3aalNCaCtvNgc9XVz9JiEAqv
MmnbUqpbRrzStWbyqVSPQ3qe+ORO6pl35g7mXD/1Rj6Nhu05SKg=
=3yzf
-----END PGP SIGNATURE-----
pgpTzyygvfyCC.pgp
Description: PGP signature
--- End Message ---
