Used workarounds for /var to support Image mode

Resolves: RHEL-104882
This commit is contained in:
Jaroslav Škarvada 2026-07-01 21:12:46 +02:00
parent eedf72b6ee
commit 7f04ae1f77
3 changed files with 52 additions and 23 deletions

View File

@ -11,12 +11,16 @@ PrivateTmp=true
CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
ProtectSystem=true
PrivateDevices=true
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop
ExecStartPre=!-/usr/sbin/restorecon -R /var/spool/postfix/pid
ExecStartPre=!-/usr/libexec/postfix/aliasesdb
ExecStartPre=!-/usr/libexec/postfix/chroot-update
ExecStart=!/usr/sbin/postfix start
ExecReload=!/usr/sbin/postfix reload
ExecStop=!/usr/sbin/postfix stop
User=postfix
Group=root
StateDirectory=postfix
StateDirectoryMode=0700
[Install]
WantedBy=multi-user.target

View File

@ -57,7 +57,7 @@
Name: postfix
Summary: Postfix Mail Transport Agent
Version: 3.8.5
Release: 10%{?dist}
Release: 11%{?dist}
Epoch: 2
URL: http://www.postfix.org
License: (IPL-1.0 OR EPL-2.0) AND GPL-2.0-or-later AND BSD-4-Clause-UC
@ -81,6 +81,7 @@ Source3: README-Postfix-SASL-RedHat.txt
Source4: postfix.aliasesdb
Source5: postfix-chroot-update
Source6: postfix.sysusers
Source7: postfix.tmpfiles
# Sources 50-99 are upstream [patch] contributions
@ -426,6 +427,9 @@ install -m 755 %{SOURCE5} %{buildroot}%{postfix_daemon_dir}/chroot-update
# systemd-sysusers
install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/postfix.conf
# systemd-tmpfiles
install -p -D -m 0644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/postfix.conf
install -c auxiliary/rmail/rmail $RPM_BUILD_ROOT%{_bindir}/rmail.postfix
for i in active bounce corrupt defer deferred flush incoming private saved maildrop public pid saved trace; do
@ -642,6 +646,7 @@ fi
%config(noreplace) %{sasl_config_dir}/smtpd.conf
%endif
%config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix
%{_tmpfilesdir}/postfix.conf
%{_unitdir}/postfix.service
# Documentation
@ -670,23 +675,23 @@ fi
%dir %attr(0755, root, root) %{postfix_config_dir}
%dir %attr(0755, root, root) %{postfix_daemon_dir}
%dir %attr(0755, root, root) %{postfix_queue_dir}
%ghost %dir %attr(0755, root, root) %{postfix_queue_dir}
%dir %attr(0755, root, root) %{postfix_shlib_dir}
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/active
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/bounce
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/corrupt
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/defer
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/deferred
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/flush
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/hold
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/incoming
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/saved
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/trace
%dir %attr(0730, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/maildrop
%dir %attr(0755, root, root) %{postfix_queue_dir}/pid
%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/private
%dir %attr(0710, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/public
%dir %attr(0700, %{postfix_user}, root) %{postfix_data_dir}
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/active
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/bounce
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/corrupt
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/defer
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/deferred
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/flush
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/hold
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/incoming
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/saved
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/trace
%ghost %dir %attr(0730, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/maildrop
%ghost %dir %attr(0755, root, root) %{postfix_queue_dir}/pid
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/private
%ghost %dir %attr(0710, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/public
%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_data_dir}
%dir %attr(0755, root, root) %{postfix_config_dir}/dynamicmaps.cf.d
%dir %attr(0755, root, root) %{postfix_config_dir}/postfix-files.d
@ -846,6 +851,10 @@ fi
%endif
%changelog
* Thu Jun 25 2026 Jaroslav Škarvada <jskarvad@redhat.com> - 2:3.8.5-11
- Used workarounds for /var to support Image mode
Resolves: RHEL-104882
* Thu May 21 2026 Fedor Vorobev <fvorobev@redhat.com> - 2:3.8.5-10
- Fix for CVE-2026-43964: buffer over-read via malformed enhanced status code.
Resolves: RHEL-176547

16
postfix.tmpfiles Normal file
View File

@ -0,0 +1,16 @@
# postfix spool
d /var/spool/postfix 0755 root root -
d /var/spool/postfix/active 0700 postfix root -
d /var/spool/postfix/bounce 0700 postfix root -
d /var/spool/postfix/corrupt 0700 postfix root -
d /var/spool/postfix/defer 0700 postfix root -
d /var/spool/postfix/deferred 0700 postfix root -
d /var/spool/postfix/flush 0700 postfix root -
d /var/spool/postfix/hold 0700 postfix root -
d /var/spool/postfix/incoming 0700 postfix root -
d /var/spool/postfix/saved 0700 postfix root -
d /var/spool/postfix/trace 0700 postfix root -
d /var/spool/postfix/maildrop 0730 postfix postdrop -
d /var/spool/postfix/pid 0755 root root -
d /var/spool/postfix/private 0700 postfix root -
d /var/spool/postfix/public 0710 postfix postdrop -