Postfix with home dirs on GPFS
by Luke Sudbery
Hello,
With home directories on IBM Spectrum Scale and selinux enabled, postfix is unable to deliver locally. This is using RHELS8.3.
Postfix logs:
May 27 10:23:20 host-name postfix/local[1245962]: A1219F9E: to=<username(a)host-name.localdomain<mailto:username@host-name.localdomain>>, orig_to=<username>, relay=local, delay=0.03, delays=0.01/0.01/0/0.01, dsn=5.2.0, status=bounced (cannot update mailbox /gpfs-fs/homes/u/username/Mailbox for user username. unable to create lock file /gpfs-fs/homes/u/username/Mailbox.lock: Permission denied)
Although the actual problem is that it can't/doesn't read ~/.forward to know where to really send the mail.
Selinux audit logs show:
type=AVC msg=audit(1622111726.610:10854499): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.610:10854499): arch=c000003e syscall=6 success=no exit=-13 a0=561f9a316390 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
type=AVC msg=audit(1622111726.611:10854500): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.611:10854500): arch=c000003e syscall=4 success=no exit=-13 a0=561f9a3165c0 a1=7ffdc7e109c0 a2=7ffdc7e109c0 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
type=AVC msg=audit(1622111726.611:10854501): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1622111726.611:10854501): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=561f9a316600 a2=c1 a3=0 items=0 ppid=3375 pid=1315267 auid=4294967295 uid=0 gid=0 euid=606178 suid=0 fsuid=606178 egid=100 sgid=0 fsgid=100 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="username" SUID="root" FSUID="username" EGID="users" SGID="root" FSGID="users"
audit2allow shows:
[root@host-name audit]# audit2allow -w -a
type=AVC msg=audit(1622111726.610:10854499): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1622111726.611:10854500): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1622111726.611:10854501): avc: denied { search } for pid=1315267 comm="local" name="/" dev="gpfs" ino=3 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
[root@host-name audit]# audit2allow -a
#============= postfix_local_t ==============
allow postfix_local_t unlabeled_t:dir search;
[root@host-name audit]#
Creating a module using these rules fixes the problem.
I've also tested creating a user with a home directory with GPFS stopped, and using the same path that a GPFS user would have. This worked without any selinux changes, and implies this is a problem with home dirs on GPFS, rather than just the path itself.
Should this be reported as a selinux bug?
Many thanks,
Luke
--
Luke Sudbery
Architecture, Infrastructure and Systems
Advanced Research Computing, IT Services
Room 132, Computer Centre G5, Elms Road
Please note I don't work on Monday.
2 years, 9 months