View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000548 | AlmaLinux-9 | selinux-policy | public | 2025-07-17 14:30 | 2025-07-17 14:30 |
| Reporter | davispuh | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Summary | 0000548: Missing SELinux policy for Postifx /etc/aliases.lmdb | ||||
| Description | I'm using AlmaLinux 9 with Postifx 3.5.25 and using `/etc/aliases.lmdb` fails due to SELinux policy. ``` $ journalctl -u postfix systemd[1]: Starting Postfix Mail Transport Agent... aliasesdb[44880]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied postfix/postalias[44880]: fatal: open database /etc/aliases.lmdb: Permission denied postfix/master[44957]: daemon started -- version 3.5.25, configuration /etc/postfix systemd[1]: Started Postfix Mail Transport Agent. postfix/submissions/smtpd[46867]: error: open database /etc/aliases.lmdb: Permission denied postfix/local[3633]: error: open database /etc/aliases.lmdb: Permission denied postfix/local[3633]: warning: lmdb:/etc/aliases is unavailable. open database /etc/aliases.lmdb: Permission denied postfix/local[3633]: warning: lmdb:/etc/aliases: lookup of 'postmaster' failed ``` ``` $ ausearch -m avc ---- time->Wed Jul 16 20:50:28 2025 type=PROCTITLE msg=audit(1752699028.246:7424): proctitle=706F7374616C696173006C6D6462002F6574632F616C6961736573 type=SYSCALL msg=audit(1752699028.246:7424): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=44878 pid=44880 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="postalias" exe="/usr/sbin/postalias" subj=system_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1752699028.246:7424): avc: denied { map } for pid=44880 comm="postalias" path="/etc/aliases.lmdb" dev="sda4" ino=16908666 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:etc_aliases_t:s0 tclass=file permissive=0 ---- time->Wed Jul 16 20:52:47 2025 type=PROCTITLE msg=audit(1752699167.152:7430): proctitle=736D747064002D6E00343635002D7400696E6574002D75002D6F007374726573733D002D730033002D6F007379736C6F675F6E616D653D706F73746669782F7375626D697373696F6E73002D6F00736D7470645F746C735F777261707065726D6F64653D796573002D6F00736D7470645F746C735F73656375726974795F6C65 type=SYSCALL msg=audit(1752699167.152:7430): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=44957 pid=46867 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1752699167.152:7430): avc: denied { map } for pid=46867 comm="smtpd" path="/etc/aliases.lmdb" dev="sda4" ino=16908666 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:etc_aliases_t:s0 tclass=file permissive=0 ---- time->Thu Jul 17 12:52:41 2025 type=PROCTITLE msg=audit(1752756761.324:246): proctitle=6C6F63616C002D7400756E6978 type=SYSCALL msg=audit(1752756761.324:246): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000000 a2=1 a3=1 items=0 ppid=1049 pid=3361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) type=AVC msg=audit(1752756761.324:246): avc: denied { map } for pid=3361 comm="local" path="/etc/aliases.lmdb" dev="sda4" ino=16908666 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=file permissive=0 ---- ``` | ||||
| Steps To Reproduce | `/etc/postfix/main.cf` ``` default_database_type = lmdb alias_maps = lmdb:/etc/aliases alias_database = $alias_maps ``` ``` $ postalias /etc/aliases $ chcon --reference=/etc/aliases /etc/aliases.lmdb $ ls -Z /etc/aliases.lmdb system_u:object_r:etc_aliases_t:s0 /etc/aliases.lmdb ``` | ||||
| Additional Information | This should be fixed with selinux-policy v40.19 see https://github.com/fedora-selinux/selinux-policy/commit/bb522ec1866cf190d74c5b1de6bafc963665e025 and https://github.com/fedora-selinux/selinux-policy/commit/0ed7e9a797ca5be979a5b0b3e626efd775004851 But latest selinux-policy on AlmaLinux 9 is v38.1.53 PS. Postfix removed support for Berkeley DB (`.db`) in 3.9.0 | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-07-17 14:30 | davispuh | New Issue |
