Debian Bug report logs - #1093525
postfix won't start on SE Linux systems after upgrade from <=3.9.1-4 to >=3.9.1-5

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Russell Coker <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: postfix won't start on SE Linux systems after upgrade from <=3.9.1-4 to >=3.9.1-5

Date: Mon, 20 Jan 2025 02:37:34 +1100

Package: postfix
Version: 3.9.1-10+b1
Severity: normal

The method of updating files in /var/spool/postfix/etc has changed from
version 3.9.1-4 to 3.9.1-5 and the result is that /var/spool/postfix/etc
from previous versions has the type etc_t and the new code runs the cp
command as postfix_master_t which doesn't have permission to write to etc_t.

The solution to this is "rm -rf /var/spool/postfix/etc" as part of the upgrade
process, this means that the new /var/spool/postfix/etc dir will be created
as type postfix_spool_t.

This doesn't require any other SE Linux specific changes, just rm that dir and
everything else works.

-- System Information:
Debian Release: trixie/sid
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages postfix depends on:
ii  adduser                3.137
ii  debconf [debconf-2.0]  1.5.89
ii  init-system-helpers    1.68
ii  libc6                  2.40-5
ii  libdb5.3t64            5.3.28+dfsg2-9
ii  libicu72               72.1-6
ii  libnsl2                1.3.0-3+b3
ii  libsasl2-2             2.1.28+dfsg1-8+b1
ii  libssl3t64             3.4.0-2
ii  netbase                6.4

Versions of packages postfix recommends:
ii  ca-certificates  20241223
ii  python3          3.13.1-2
ii  ssl-cert         1.1.3

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]        8.1.2-0.20220412cvs-1
ii  geary [mail-reader]            46.0-5
ii  kmail [mail-reader]            4:24.12.0-2
ii  libsasl2-modules               2.1.28+dfsg1-8+b1
ii  mailutils [mail-reader]        1:3.17-2+b4
ii  mutt [mail-reader]             2.2.13-1
pn  postfix-cdb                    <none>
pn  postfix-doc                    <none>
pn  postfix-ldap                   <none>
pn  postfix-lmdb                   <none>
pn  postfix-mongodb                <none>
pn  postfix-mta-sts-resolver       <none>
pn  postfix-mysql                  <none>
pn  postfix-pcre                   <none>
pn  postfix-pgsql                  <none>
pn  postfix-sqlite                 <none>
ii  procmail                       3.24+really3.22-4
ii  systemd-resolved [resolvconf]  257.2-2
ii  thunderbird [mail-reader]      1:128.6.0esr-1
pn  ufw                            <none>

-- Configuration Files:
/etc/init.d/postfix [Errno 13] Permission denied: '/etc/init.d/postfix'
/etc/network/if-down.d/postfix [Errno 13] Permission denied: '/etc/network/if-down.d/postfix'
/etc/network/if-up.d/postfix [Errno 13] Permission denied: '/etc/network/if-up.d/postfix'
/etc/postfix/main.cf.proto [Errno 13] Permission denied: '/etc/postfix/main.cf.proto'
/etc/postfix/master.cf.proto [Errno 13] Permission denied: '/etc/postfix/master.cf.proto'
/etc/postfix/postfix-files [Errno 13] Permission denied: '/etc/postfix/postfix-files'
/etc/ppp/ip-down.d/postfix [Errno 13] Permission denied: '/etc/ppp/ip-down.d/postfix'
/etc/ppp/ip-up.d/postfix [Errno 13] Permission denied: '/etc/ppp/ip-up.d/postfix'
/etc/rsyslog.d/postfix.conf [Errno 13] Permission denied: '/etc/rsyslog.d/postfix.conf'

-- debconf-show failed

Message #10 received at [email protected] (full text, mbox, reply):

From: Russell Coker <[email protected]>

To: [email protected]

Subject: another thing

Date: Mon, 20 Jan 2025 03:27:12 +1100

To make this work properly I needed to make a change to SE Linux policy, so 
when putting in that change please make it conflict with versions of selinux-
policy-default < 2:2.20250115-1

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Message #15 received at [email protected] (full text, mbox, reply):

From: Michael Tokarev <[email protected]>

To: [email protected]

Subject: Re: Bug#1093525: postfix won't start on SE Linux systems after upgrade from <=3.9.1-4 to >=3.9.1-5

Date: Mon, 20 Jan 2025 13:42:30 +0300

19.01.2025 18:37, Russell Coker wrote:
> Package: postfix
> Version: 3.9.1-10+b1
> Severity: normal
> 
> The method of updating files in /var/spool/postfix/etc has changed from
> version 3.9.1-4 to 3.9.1-5 and the result is that /var/spool/postfix/etc
> from previous versions has the type etc_t and the new code runs the cp
> command as postfix_master_t which doesn't have permission to write to etc_t.

I know right to nothing about how selinux works.  I've seen several mentions
of selinux in postinst, which also uncertain - apparently whomever added these
didn't know what's going on.

> The solution to this is "rm -rf /var/spool/postfix/etc" as part of the upgrade
> process, this means that the new /var/spool/postfix/etc dir will be created
> as type postfix_spool_t.

This is absolutely no-go.  The problem is that due to wrong chroot usage,
people started using /var/spool/postfix/etc as the only storage of various
things.  For example, multiple HOWTOs on the net suggests to MOVE
/etc/sasl2 to /var/spool/postfix/etc/sasl2 and create symlink in /etc.
By removing /var/spool/postfix/etc, I'll drop whole user database together
with the secrets..  I know this is definitely wrong usage, but we have no
other.

> This doesn't require any other SE Linux specific changes, just rm that dir and
> everything else works.

Can you describe which change it was and why it caused issues?
And which change in selinux policy you did, and why?

I'd love to know how it all works because else I'm like a blind kitten,
doing something I've no idea about :)

Thanks,

/mjt

Send a report that this bug log contains spam.