Manuel Wolfshant wrote:
On 02/17/2009 07:59 PM, Daniel J Walsh wrote:
> Manuel Wolfshant wrote:
>
>> Daniel J Walsh wrote:
>>
>>> Manuel Wolfshant wrote:
>>>
>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>> Manuel Wolfshant wrote:
>>>>>
>>>>>
>>>>>> hello
>>>>>>
>>>>>> I have migrated a working mailserver from Centos 4.7 to Centos
>>>>>> 5.2.
>>>>>> The system uses postfix to receive messages from a mail relay and
is
>>>>>> supposed to deliver them to folders named after the users,
>>>>>> following
>>>>>> the /home/firstname.lastname@domain template. Authentication is
>>>>>> done via
>>>>>> mysql against a db running on another system.
>>>>>> New accounts are created automatically when a mail has to be
>>>>>> delivered to an user which has never been seen before.
>>>>>> For the users which existed before migration, everything is
fine.
>>>>>> However, for non-existing (i.e. to be created) users the homedir
is
>>>>>> created with wrong contexts, which prohibit postfix to finalize
the
>>>>>> delivery. Once a message is received for a new user, the
>>>>>> following is
>>>>>> created:
>>>>>>
>>>>>> [root@imap2 ~]# ll -Zl /home/gigi.test\(a)nobugconsulting.ro/
-R
>>>>>> /home/gigi.test(a)nobugconsulting.ro/:
total
>>>>>> 8
drwx------ 2
>>>>>> root:object_r:home_root_t postfix postfix 4096 Feb 17
>>>>>> 01:05 tmp
>>>>>>
>>>>>> /home/gigi.test(a)nobugconsulting.ro/tmp:
>>>>>> total 4 -rw------- 1
>>>>>> root:object_r:home_root_t postfix postfix 0 Feb 17 01:05
>>>>>> 1234825528.P26797.imap2
>>>>>>
>>>>>> After that postfix tries to do stuff on the newly created file
>>>>>> and
>>>>>> selinux kicks in and denies access.
>>>>>> Running restorecon at this point fixes things:
>>>>>>
>>>>>> [root@imap2 ~]# restorecon -v -R
>>>>>> /home/gigi.test(a)nobugconsulting.ro
>>>>>> restorecon reset /home/gigi.test(a)nobugconsulting.ro context
>>>>>>
root:object_r:home_root_t:s0->user_u:object_r:user_home_dir_t:s0
>>>>>> restorecon reset /home/gigi.test(a)nobugconsulting.ro/tmp context
>>>>>> root:object_r:home_root_t:s0->user_u:object_r:user_home_t:s0
>>>>>> restorecon reset
>>>>>> /home/gigi.test(a)nobugconsulting.ro/tmp/1234825528.P26797.imap2
>>>>>> context
>>>>>> root:object_r:home_root_t:s0->user_u:object_r:user_home_t:s0
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am running the following versions of packages:
>>>>>>
>>>>>> [root@imap2 ~]# rpm -qa kernel\* \*selinux\* postfix\*
>>>>>> kernel-xen-2.6.18-92.1.22.el5
>>>>>> libselinux-utils-1.33.4-5.1.el5
>>>>>> selinux-policy-targeted-2.4.6-203.el5
>>>>>> libselinux-1.33.4-5.1.el5
>>>>>> libselinux-python-1.33.4-5.1.el5
>>>>>> selinux-policy-2.4.6-203.el5
>>>>>> postfix-2.3.3-2.1.centos.mysql_pgsql
>>>>>>
>>>>>> Selinux related packages have been upgraded last night in the
>>>>>> hope to
>>>>>> fix the problem, postfix is almost stock centosplus 5.2,
recompiled
>>>>>> with
>>>>>> support for mysql but without postgresql- support.
>>>>>>
>>>>>> Obviously I no not want to follow the result of audit2allow,
>>>>>> home_root_t:dir should not be there in the first place:
>>>>>> [root@imap2 ~]# grep avc /var/log/audit/audit.log|audit2allow
>>>>>>
>>>>>> #============= postfix_virtual_t ==============
>>>>>> allow postfix_virtual_t home_root_t:dir { write remove_name
create
>>>>>> add_name };
>>>>>> allow postfix_virtual_t home_root_t:file { write create unlink
link
>>>>>> getattr };
>>>>>> allow postfix_virtual_t postfix_private_t:dir search;
>>>>>> allow postfix_virtual_t postfix_private_t:sock_file write;
>>>>>> allow postfix_virtual_t usr_t:file { read getattr };
>>>>>>
>>>>>> Correct access rights and contexts seem to be:
>>>>>> [root@imap2 ~]# ls -l /home/ -dZ
>>>>>> drwxr-xr-x+ postfix postfix system_u:object_r:home_root_t
/home/
>>>>>> [root@imap2 ~]# ls -l /home/gigi.test\(a)nobugconsulting.ro/ -dZ
>>>>>> drwx------ postfix postfix user_u:object_r:user_home_dir_t
>>>>>> /home/gigi.test(a)nobugconsulting.ro/
>>>>>>
>>>>>> The only user on the system (beside root) is postfix:
>>>>>> [root@imap2 ~]# getent passwd postfix
>>>>>> postfix:x:89:89::/var/spool/postfix:/sbin/nologin
>>>>>>
>>>>>> [...]
>>>>>>
>>>>>> My questions are
>>>>>> a) why does postfix create the initial home directories with a
wrong
>>>>>> context ? Note this only happens for NEW users, messages for the
>>>>>> users
>>>>>> which already existed [and have correct context] on the old
>>>>>> system are
>>>>>> perfectly fine.
>>>>>>
>>>>> Does postfix actually create the homedir or was the homedir
>>>>> created by
>>>>> an init script? postfix does not know anything about SELinux but
>>>>> there
>>>>> are rules about processes running as postfix_t creating files in
>>>>> user_home_dir_t directories. In your case it seems that the
>>>>> directory
>>>>> was labeled home_root_t, which is where the problem is.
>>>>>
>>>>>
>>>> /home exists; everything below it is created (and should be created
>>>> with correct contexts) by postfix in real time
>>>>
>>>>
>>> Why is postfix creating a homedir?
>>>
>> Because that's where all the virtual users have their mails.
>>
>>
>>
>>> I have never seen this before.
>>> That is where the problem is, selinux policy does not allow postfix to
>>> create directories under /home (home_root_t), so it is being blocked.
>>>
>>>
>> I am sorry, I do not remember from which site was the setup taken. 4
>> years or so since I installed it the first time in Centos 4.2, but if I
>> am not mistaken it's an almost exact replica of the setup suggested by
>> postfixadmin
>>
>>
>
> So postfix_virtual creates the homedir just to put a file in it and then
> send it somewhere else?
>
> If this is standard I can allow it, although it seems pretty strange.
>
To be honest, I am not 100% sure how standard that is, although I am
pretty sure that delivering to home dirs is not uncommon. Fact is that
(in my case) postfix is the only user on the box and owns all the
directories created below /home. Technically I presume that the whole
structure could be moved anywhere else, but 4 years ago /home seemed a
logical place, even if all users are virtual and defined in mysql.
Basically when doing a deliver, postfix uses maildirmake to create the
top-level directory assigned to any specific user, leading to a tree
like this:
/home
/home/specific.user
/home/specific.user/cur (cur stands for current)
/home/specific.user/tmp
/home/specific.user/new
The structure gets created when the very first message for a user is
received.
As far as I have understood (it always "just worked" so I never did
in-depth digging), messages are first created in /home/specific.user/tmp
and after that copied to the final delivery place i.e.
/home/specific.user/new. Once the user reads the message (via an imap /
pop daemon), the message is transferred to /home/specific.user/cur (or
to other folders, created via the IMAP daemon, but all of them placed
below /home/specific.user)
This looks like standard delivery to maildir operation, with the
addition of having the mailboxes in virtual user home directories under
/home that are auto-created when necessary.
Given that there are no other users on the system, I wonder if
everything would work smoothly if you made /home and everything
underneath it mail_spool_t ?
Paul.