oddity with postfix delivering to homedir

Paul Howarth paul at city-fan.org
Wed Feb 18 09:12:04 UTC 2009


Manuel Wolfshant wrote:
> On 02/17/2009 07:59 PM, Daniel J Walsh wrote:
>> Manuel Wolfshant wrote:
>>  
>>> Daniel J Walsh wrote:
>>>    
>>>> Manuel Wolfshant wrote:
>>>>  
>>>>      
>>>>> Daniel J Walsh wrote:
>>>>>           
>>>>>> Manuel Wolfshant wrote:
>>>>>>  
>>>>>>               
>>>>>>> hello
>>>>>>>
>>>>>>>    I have migrated a working mailserver from Centos 4.7 to Centos 
>>>>>>> 5.2.
>>>>>>> The system uses postfix to receive messages from a mail relay and is
>>>>>>> supposed to deliver them to  folders named after the users, 
>>>>>>> following
>>>>>>> the /home/firstname.lastname at domain template. Authentication is
>>>>>>> done via
>>>>>>> mysql against a db running on another system.
>>>>>>>    New accounts are created automatically when a mail has to be
>>>>>>> delivered to an user which has never been seen before.
>>>>>>>    For the users which existed before migration, everything is fine.
>>>>>>> However, for non-existing (i.e. to be created) users the homedir is
>>>>>>> created with wrong contexts, which prohibit postfix to finalize the
>>>>>>> delivery. Once a message is received for a new user, the 
>>>>>>> following is
>>>>>>> created:
>>>>>>>
>>>>>>>    [root at imap2 ~]# ll -Zl /home/gigi.test\@nobugconsulting.ro/ -R
>>>>>>> /home/gigi.test at nobugconsulting.ro/:                          total
>>>>>>> 8                                                       drwx------ 2
>>>>>>> root:object_r:home_root_t        postfix postfix 4096 Feb 17 
>>>>>>> 01:05 tmp
>>>>>>>
>>>>>>> /home/gigi.test at nobugconsulting.ro/tmp:
>>>>>>> total 4                               -rw------- 1
>>>>>>> root:object_r:home_root_t        postfix postfix 0 Feb 17 01:05
>>>>>>> 1234825528.P26797.imap2
>>>>>>>
>>>>>>>    After that postfix tries to do stuff on the newly created file 
>>>>>>> and
>>>>>>> selinux kicks in and denies access.
>>>>>>>    Running restorecon at this point fixes things:
>>>>>>>
>>>>>>>    [root at imap2 ~]# restorecon -v -R
>>>>>>> /home/gigi.test at nobugconsulting.ro                             
>>>>>>> restorecon reset /home/gigi.test at nobugconsulting.ro context
>>>>>>> root:object_r:home_root_t:s0->user_u:object_r:user_home_dir_t:s0
>>>>>>> restorecon reset /home/gigi.test at nobugconsulting.ro/tmp context
>>>>>>> root:object_r:home_root_t:s0->user_u:object_r:user_home_t:s0
>>>>>>> restorecon reset
>>>>>>> /home/gigi.test at nobugconsulting.ro/tmp/1234825528.P26797.imap2 
>>>>>>> context
>>>>>>> root:object_r:home_root_t:s0->user_u:object_r:user_home_t:s0                  
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>    I am running the following versions of packages:
>>>>>>>
>>>>>>> [root at imap2 ~]# rpm -qa kernel\* \*selinux\* postfix\*
>>>>>>> kernel-xen-2.6.18-92.1.22.el5
>>>>>>> libselinux-utils-1.33.4-5.1.el5
>>>>>>> selinux-policy-targeted-2.4.6-203.el5
>>>>>>> libselinux-1.33.4-5.1.el5
>>>>>>> libselinux-python-1.33.4-5.1.el5
>>>>>>> selinux-policy-2.4.6-203.el5
>>>>>>> postfix-2.3.3-2.1.centos.mysql_pgsql
>>>>>>>
>>>>>>>    Selinux related packages have been upgraded last night in the
>>>>>>> hope to
>>>>>>> fix the problem, postfix is almost stock centosplus 5.2, recompiled
>>>>>>> with
>>>>>>> support for mysql but without postgresql- support.
>>>>>>>
>>>>>>>    Obviously I no not want to follow the result of  audit2allow,
>>>>>>> home_root_t:dir should not be there in the first place:
>>>>>>> [root at imap2 ~]# grep avc /var/log/audit/audit.log|audit2allow
>>>>>>>
>>>>>>> #============= postfix_virtual_t ==============
>>>>>>> allow postfix_virtual_t home_root_t:dir { write remove_name create
>>>>>>> add_name };
>>>>>>> allow postfix_virtual_t home_root_t:file { write create unlink link
>>>>>>> getattr };
>>>>>>> allow postfix_virtual_t postfix_private_t:dir search;
>>>>>>> allow postfix_virtual_t postfix_private_t:sock_file write;
>>>>>>> allow postfix_virtual_t usr_t:file { read getattr };
>>>>>>>
>>>>>>>    Correct access rights and contexts seem to be:
>>>>>>> [root at imap2 ~]# ls -l /home/ -dZ
>>>>>>> drwxr-xr-x+ postfix postfix system_u:object_r:home_root_t    /home/
>>>>>>> [root at imap2 ~]# ls -l /home/gigi.test\@nobugconsulting.ro/ -dZ
>>>>>>> drwx------  postfix postfix user_u:object_r:user_home_dir_t
>>>>>>> /home/gigi.test at nobugconsulting.ro/
>>>>>>>
>>>>>>>    The only user on the system (beside root) is postfix:
>>>>>>> [root at imap2 ~]# getent passwd postfix
>>>>>>> postfix:x:89:89::/var/spool/postfix:/sbin/nologin
>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>>    My questions are
>>>>>>> a) why does postfix create the initial home directories with a wrong
>>>>>>> context ? Note this only happens for NEW users, messages for the 
>>>>>>> users
>>>>>>> which already existed [and have correct context] on the old 
>>>>>>> system are
>>>>>>> perfectly fine.
>>>>>>>                         
>>>>>> Does postfix actually create the homedir or was the homedir 
>>>>>> created by
>>>>>> an init script?  postfix does not know anything about SELinux but 
>>>>>> there
>>>>>> are rules about processes running as postfix_t creating files in
>>>>>> user_home_dir_t directories.  In your case it seems that the 
>>>>>> directory
>>>>>> was labeled home_root_t, which is where the problem is.
>>>>>>
>>>>>>                   
>>>>> /home exists;  everything below it is created (and should be created
>>>>> with correct contexts) by postfix in real time
>>>>>
>>>>>             
>>>> Why is postfix creating a homedir?
>>>>       
>>> Because that's where all the virtual users have their mails.
>>>
>>>
>>>    
>>>>    I have never seen this before.
>>>> That is where the problem is, selinux policy does not allow postfix to
>>>> create directories under /home (home_root_t), so it is being blocked.
>>>>
>>>>         
>>> I am sorry, I do not remember from which site was the setup taken. 4
>>> years or so since I installed it the first time in Centos 4.2, but if I
>>> am not mistaken it's an almost exact replica of the setup suggested by
>>> postfixadmin
>>>
>>>     
>>
>> So postfix_virtual creates the homedir just to put a file in it and then
>>  send  it somewhere else?
>>
>> If this is standard I can allow it, although it seems pretty strange.
>>   
> To be honest, I am not 100% sure how standard that is, although I am 
> pretty sure that delivering to home dirs is not uncommon. Fact is that 
> (in my case) postfix is the only user on the box and owns all the 
> directories created below /home. Technically I presume that the whole 
> structure could be moved anywhere else, but 4 years ago /home seemed a 
> logical place, even if all users are virtual and defined in mysql.
> Basically when doing a deliver, postfix uses maildirmake to create the 
> top-level directory assigned to any specific user, leading to a tree 
> like this:
>    /home
>    /home/specific.user
>    /home/specific.user/cur  (cur stands for current)
>    /home/specific.user/tmp
>    /home/specific.user/new
> The structure gets created when the very first message for a user is 
> received.
> As far as I have understood (it always "just worked" so I never did 
> in-depth digging), messages are first created in /home/specific.user/tmp 
> and after that copied to the final delivery place i.e. 
> /home/specific.user/new. Once the user reads the message (via an imap / 
> pop daemon), the message is transferred to /home/specific.user/cur (or 
> to other folders, created via the IMAP daemon, but all of them placed 
> below /home/specific.user)

This looks like standard delivery to maildir operation, with the 
addition of having the mailboxes in virtual user home directories under 
/home that are auto-created when necessary.

Given that there are no other users on the system, I wonder if 
everything would work smoothly if you made /home and everything 
underneath it mail_spool_t ?

Paul.




More information about the fedora-selinux-list mailing list