Postfix with home dirs on GPFS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

 

With home directories on IBM Spectrum Scale and selinux enabled, postfix is unable to deliver locally. This is using RHELS8.3.

 

Postfix logs:

 

May 27 10:23:20 host-name postfix/local[1245962]: A1219F9E: to=<username@host-name.localdomain>, orig_to=<username>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=5.2.0, status=bounced (cannot update mailbox /gpfs-fs/homes/u/username/Mailbox for user username. unable to create lock file /gpfs-fs/homes/u/username/Mailbox.lock: Permission denied)

 

Although the actual problem is that it can’t/doesn’t read ~/.forward to know where to really send the mail.

 

Selinux audit logs show:

 

type=AVC msg=audit(1622111726.610:10854499): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1622111726.610:10854499): arch=c000003e syscall=6 success=no exit=-13 a0=561f9a316390 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"

type=AVC msg=audit(1622111726.611:10854500): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1622111726.611:10854500): arch=c000003e syscall=4 success=no exit=-13 a0=561f9a3165c0 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"

type=AVC msg=audit(1622111726.611:10854501): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

type=SYSCALL msg=audit(1622111726.611:10854501): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=561f9a316600 a2=c1 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"

 

audit2allow shows:

 

[root@host-name audit]# audit2allow -w -a

type=AVC msg=audit(1622111726.610:10854499): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

        Was caused by:

                Missing type enforcement (TE) allow rule.

 

                You can use audit2allow to generate a loadable module to allow this access.

 

type=AVC msg=audit(1622111726.611:10854500): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

        Was caused by:

                Missing type enforcement (TE) allow rule.

 

                You can use audit2allow to generate a loadable module to allow this access.

 

type=AVC msg=audit(1622111726.611:10854501): avc:  denied  { search } for  pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

        Was caused by:

                Missing type enforcement (TE) allow rule.

 

                You can use audit2allow to generate a loadable module to allow this access.

 

[root@host-name audit]# audit2allow -a

 

 

#============= postfix_local_t ==============

allow postfix_local_t unlabeled_t:dir search;

[root@host-name audit]#

 

Creating a module using these rules fixes the problem.

 

I’ve also tested creating a user with a home directory with GPFS stopped, and using the same path that a GPFS user would have. This worked without any selinux changes, and implies this is a problem with home dirs on GPFS, rather than just the path itself.

 

Should this be reported as a selinux bug?

 

Many thanks,

 

Luke

 

--

Luke Sudbery

Architecture, Infrastructure and Systems

Advanced Research Computing, IT Services

Room 132, Computer Centre G5, Elms Road

 

Please note I don’t work on Monday.

 

 

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux