19.01.2025 18:37, Russell Coker wrote:
Package: postfix
Version: 3.9.1-10+b1
Severity: normal
The method of updating files in /var/spool/postfix/etc has changed from
version 3.9.1-4 to 3.9.1-5 and the result is that /var/spool/postfix/etc
from previous versions has the type etc_t and the new code runs the cp
command as postfix_master_t which doesn't have permission to write to etc_t.
I know right to nothing about how selinux works. I've seen several mentions
of selinux in postinst, which also uncertain - apparently whomever added these
didn't know what's going on.
The solution to this is "rm -rf /var/spool/postfix/etc" as part of the upgrade
process, this means that the new /var/spool/postfix/etc dir will be created
as type postfix_spool_t.
This is absolutely no-go. The problem is that due to wrong chroot usage,
people started using /var/spool/postfix/etc as the only storage of various
things. For example, multiple HOWTOs on the net suggests to MOVE
/etc/sasl2 to /var/spool/postfix/etc/sasl2 and create symlink in /etc.
By removing /var/spool/postfix/etc, I'll drop whole user database together
with the secrets.. I know this is definitely wrong usage, but we have no
other.
This doesn't require any other SE Linux specific changes, just rm that dir and
everything else works.
Can you describe which change it was and why it caused issues?
And which change in selinux policy you did, and why?
I'd love to know how it all works because else I'm like a blind kitten,
doing something I've no idea about :)
Thanks,
/mjt
