Thursday, January 07, 2010

Dear lazyweb and SELinux gurus...

UPDATE: The below errors started yesterday after I installed updated packages for selinux-policy and selinux-policy-targeted on RHEL 5.4. I'm pretty confident these updates broke something with Postfix. Anyone else running RHEL see this?

If anyone has ever seen this postfix error before, I could use some help on fixing it:

One of my mailservers running postfix has suddenly stopped sending mail and has been generating the following errors:

Jan 7 12:03:08 postfix/sendmail[3560]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:03:08 postfix/sendmail[3560]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 12:10:19 postfix/sendmail[3640]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:10:19 postfix/sendmail[3640]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 12:20:04 postfix/sendmail[3675]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 12:20:04 postfix/sendmail[3675]: fatal: root(0): unable to execute /usr/sbin/postdrop -r: Success
Jan 7 13:32:11 postfix/sendmail[3919]: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
Jan 7 13:32:11 postfix/sendmail[3919]: fatal: moonpup(500): unable to execute /usr/sbin/postdrop -r: Success

I believe it is an issue between postfix and selinux and think selinux somehow got corrupted. If I put selinux in permissive mode with a setenforce 0 I can send mail with no problem. As soon as I put selinux back into enforcing mode, I can no longer send mail and get the above errors. As an fyi, I installed sendmail and did a quick system-switch-mail to use it and sendmail works fine. I switch back to postfix and it still fails.

Things I have tried to fix this problem, but didn't work.

1) Stopped postfix, uninstalled and reinstalled.

2) Did a complete filesystem relabel with a touch /.autorelabel and reboot.

3) Did a restorecon -F -R on /etc/postfix, /var/spool/postfix and /usr/sbin/post*

Nothing above has worked and have no idea why with selinux disabled postfix works and with it on it fails.

Thanks for any ideas!

4 comments:

zdzichuBG said...

Look into /var/log/audit/audit.log or "sealert" advisories for SELinux messages. Maybe some bool variable need switching, like this one:
# getsebool -a | grep -i postf
allow_postfix_local_write_mail_spool --> on

Anonymous said...

I think this is related:

https://bugzilla.redhat.com/show_bug.cgi?id=553277

Some required access was silently denied by SELinux. I think the policy maintainer was assuming this access was caused by leaked file descriptors and was not not required.

To fix it you would unload the rules to silently deny. In Fedora "semodule -DB to unload "dontaudits" and "semodule -B" to reload the policy with "dontaudit" rules included. In el5 this might not be inplemented so try instead:

semodule -b /usr/share/selinux/targeted/enableaudit.pp semodule -b /usr/share/selinux/targeted/base.pp

This will reveal any AVC denials to you would normally not see.

Look for AVC denials where postfix_postdrop_t is denied reading writing to "sendmails" unix_stream_socket. Use that avc denial to create a module with audit2allow to allow it. (man audit2allow)

echo "< put the avc denial line here >" | audit2allow -M mypostfix; sudo semodule -i mypostfix.pp

Beware to not allow any other stuff though. Some things are "silently denied" on purpose.

moonpup said...

Thanks for the tips. Looks like updated packages for selinux-policy and selinux-policy-targeted will be released soon.

Saint Aardvark said...

Thanks for this entry, moonpup, and thanks for the bug entry, Anon!