Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30271

postfix qmgr cannot delete mails in bounce/ directory

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-8.9.0, rhel-9.3.0
    • selinux-policy
    • None
    • selinux-policy-38.1.36-1.el9
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 10
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Hide

      The qmgr process is able to write to the /var/spool/postfix/bounce directory and delete files located there.

      Show
      The qmgr process is able to write to the /var/spool/postfix/bounce directory and delete files located there.
    • Pass
    • None
    • Bug Fix
    • Hide
      Cause (the user action or circumstances that trigger the bug):
      SELinux policy does not allow the postfix qmgr process delete files in the bounce directory.
      Consequence (what the user experience is when the bug occurs):
      postfix-qmgr reports an AVC denial on attempts to delete such files.
      Fix (what has changed to fix the bug; do not include overly technical details):
      SELinux policy contains the rules to allow the postfix qmgr process delete files in the bounce directory.
      Result (what happens now that the patch is applied):
      No AVC denial is reported by postfix-qmgr.
      Show
      Cause (the user action or circumstances that trigger the bug): SELinux policy does not allow the postfix qmgr process delete files in the bounce directory. Consequence (what the user experience is when the bug occurs): postfix-qmgr reports an AVC denial on attempts to delete such files. Fix (what has changed to fix the bug; do not include overly technical details): SELinux policy contains the rules to allow the postfix qmgr process delete files in the bounce directory. Result (what happens now that the patch is applied): No AVC denial is reported by postfix-qmgr.
    • Proposed
    • All
    • None

      What were you trying to do that didn't work?

      A customer sees the following AVC when qmgr is trying to delete mails in the /var/spool/postfix/bounce/ directory:

      time->Fri Mar 22 13:56:39 2024
... type=PROCTITLE msg=...: proctitle=716D6772002D6C002D7400756E6978002D75
... type=PATH msg=...: item=1 name="bounce/E40A741281B" ... obj=system_u:object_r:postfix_spool_bounce_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
... type=PATH msg=...: item=0 name="bounce/" ... obj=system_u:object_r:postfix_spool_bounce_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
... type=CWD msg=...: cwd="/var/spool/postfix"
... type=SYSCALL msg=...: arch=c000003e syscall=87 success=no exit=-13 ... comm="qmgr" exe="/usr/libexec/postfix/qmgr" subj=system_u:system_r:postfix_qmgr_t:s0 key=(null)
... type=AVC msg=...: avc:  denied  { write } for  pid=2012444 comm="qmgr" name="bounce" ... scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_bounce_t:s0 tclass=dir permissive=0

      Through collecting a coredump at the time the issue happened, I could confirm that this is legit code: qmgr can sometimes delete files, hence must have the necessary rules:

      (gdb) bt
#0  0x00007f9be35b06ab in unlink () at ../sysdeps/unix/syscall-template.S:78
#1  0x00007f9be35fac3d in __GI_remove (file=0x557a72b519e0 "bounce/E40A741281B") at ../sysdeps/posix/remove.c:33
#2  0x00007f9be7370ee5 in REMOVE (path=0x557a72b519e0 "bounce/E40A741281B") at remove.c:59
#3  0x00007f9be7368c21 in mail_queue_remove (queue_name=queue_name@entry=0x557a712909ad "bounce", 
    queue_id=<optimized out>) at mail_queue.c:276
#4  0x0000557a71288baf in qmgr_active_done (message=0x557a72b5e9e0) at qmgr_active.c:299
#5  0x0000557a71288de4 in qmgr_active_feed (scan_info=0x557a72b52140, queue_id=0x557a72b54cd3 "E40A741281B")
    at qmgr_active.c:262
#6  0x0000557a712882c7 in qmgr_loop (unused_name=<optimized out>, unused_argv=<optimized out>) at qmgr.c:645
#7  0x00007f9be75983d8 in trigger_server_main (argc=<optimized out>, argv=<optimized out>, 
    service=0x557a71288410 <qmgr_trigger_event>) at trigger_server.c:805
#8  0x0000557a71287f8e in main (argc=5, argv=0x7ffd2ee9c508) at ../../include/mail_server.h:96
(gdb)

      Related source code:

      175 /* qmgr_active_feed - feed one message into active queue */
176 
177 int     qmgr_active_feed(QMGR_SCAN *scan_info, const char *queue_id)
178 {
 :
257         /*
258          * Special case if all recipients were already delivered. Send any
259          * bounces and clean up.
260          */
261         if (message->refcount == 0)
262             qmgr_active_done(message);
263         return (1);
264     }
265 }

267 /* qmgr_active_done - dispose of message after recipients have been tried */
268 
269 void    qmgr_active_done(QMGR_MESSAGE *message)
270 {
 :
277     /*
278      * During a previous iteration, an attempt to bounce this message may
279      * have failed, so there may still be a bounce log lying around. XXX By
280      * groping around in the bounce queue, we're trespassing on the bounce
281      * service's territory. But doing so is more robust than depending on the
282      * bounce daemon to do the lookup for us, and for us to do the deleting
283      * after we have received a successful status from the bounce service.
284      * The bounce queue directory blocks are most likely in memory anyway. If
285      * these lookups become a performance problem we will have to build an
286      * in-core cache into the bounce daemon.
287      * 
288      * Don't bounce when the bounce log is empty. The bounce process obviously
289      * failed, and the delivery agent will have requested that the message be
290      * deferred.
291      * 
292      * Bounces are sent asynchronously to avoid stalling while the cleanup
293      * daemon waits for the qmgr to accept the "new mail" trigger.
294      * 
295      * See also code in cleanup_bounce.c.
296      */
297     if (stat(mail_queue_path((VSTRING *) 0, MAIL_QUEUE_BOUNCE, message->queue_id), &st) == 0) {
298         if (st.st_size == 0) {
299             if (mail_queue_remove(MAIL_QUEUE_BOUNCE, message->queue_id))
300                 msg_fatal("remove %s %s: %m",
301                           MAIL_QUEUE_BOUNCE, message->queue_id);
 :

      Please provide the package NVR for which bug is seen:

      selinux-policy on RHEL8, 9 and Rawhide

      How reproducible:

      Always on customer system, didn't try to reproduce locally.
      What you need is bouncing emails which then get eventually delivered.

      Expected results

      No AVC

      Actual results

      AVC above

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud MĂ©trich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: