Package: selinux-policy-default
Version: 2:2.20140421-9
Severity: normal
Dear Maintainer,
postfix does not start when SELinux is set to enforcing:
root@debian8gi:~# se_apt-get install postfix
[...]
root@debian8gi:~# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:~# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 13:09:43 CEST; 8min ago
Process: 2028 ExecStop=/etc/init.d/postfix stop (code=exited,
status=0/SUCCESS)
Process: 2040 ExecStart=/etc/init.d/postfix start (code=exited,
status=0/SUCCESS)
Apr 02 13:09:43 debian8gi postfix[2040]: Starting Postfix Mail Transport Agent:
postfix.
Apr 02 13:09:43 debian8gi postfix/master[2140]: fatal: open lock file
pid/master.pid: cannot create file exclusively: Permission denied
The following AVC is logged:
type=AVC msg=audit(1427973050.472:88): avc: denied { net_admin } for
pid=2144 comm="systemd-tty-ask" capability=12
scontext=system_u:system_r:systemd_passwd_agent_t:s0
tcontext=system_u:system_r:systemd_passwd_agent_t:s0 tclass=capability
permissive=0
It looks that the appropriate directory was not correctly labled by default:
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_spool_t:SystemLow 4096 Apr 2
13:07 /var/spool/postfix/pid/
root@debian8gi:/etc/postfix# restorecon -v /var/spool/postfix/pid/
restorecon reset /var/spool/postfix/pid context
system_u:object_r:var_spool_t:s0->system_u:object_r:var_run_t:s0
root@debian8gi:/etc/postfix# ls -ldZ /var/spool/postfix/pid/
drwxr-xr-x. 2 root root system_u:object_r:var_run_t:SystemLow 4096 Apr 2 13:07
/var/spool/postfix/pid/
Nevertheless: even after this adaption the process still not starts up:
root@debian8gi:/etc/postfix# run_init systemctl start postfix
Authenticating root.
Password:
root@debian8gi:/etc/postfix# run_init systemctl status postfix
Authenticating root.
Password:
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Thu 2015-04-02 14:13:52 CEST; 3s ago
Process: 3455 ExecStop=/etc/init.d/postfix stop (code=exited,
status=0/SUCCESS)
Process: 3468 ExecStart=/etc/init.d/postfix start (code=exited,
status=0/SUCCESS)
Apr 02 14:13:52 debian8gi postfix[3468]: Starting Postfix Mail Transport Agent:
postfix.
Apr 02 14:13:52 debian8gi postfix/master[3568]: fatal: bind: public/pickup:
Permission denied
The AVC:
type=AVC msg=audit(1427976832.296:134): avc: denied { create } for pid=3568
comm="master" name="pickup" scontext=system_u:system_r:postfix_master_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=sock_file permissive=0
Therefore it looks that a more general restorecon is needed:
root@debian8gi:/etc/postfix# restorecon -v -R /var/spool/postfix
restorecon reset /var/spool/postfix context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/deferred context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/maildrop context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/etc/hosts context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/services context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/localtime context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/nsswitch.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/host.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/etc/resolv.conf context
system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /var/spool/postfix/defer context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_maildrop_t:s0
restorecon reset /var/spool/postfix/flush context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_flush_t:s0
restorecon reset /var/spool/postfix/public context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_public_t:s0
restorecon reset /var/spool/postfix/active context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/corrupt context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/private context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_private_t:s0
restorecon reset /var/spool/postfix/saved context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/incoming context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_t:s0
restorecon reset /var/spool/postfix/bounce context
system_u:object_r:var_spool_t:s0->system_u:object_r:postfix_spool_bounce_t:s0
After this it is possible to start postfix.
Kind regards
Andre
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages selinux-policy-default depends on:
ii libpam-modules 1.1.8-3.1
ii libselinux1 2.3-2
ii libsepol1 2.3-2
ii policycoreutils 2.3-1
ii python 2.7.9-1
ii selinux-utils 2.3-2
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.3-1
ii setools 3.3.8-3.1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
