From 7f04ae1f773fc56bc1b1707f146de45684d2c5b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Wed, 1 Jul 2026 21:12:46 +0200 Subject: [PATCH] Used workarounds for /var to support Image mode Resolves: RHEL-104882 --- postfix.service | 16 ++++++++++------ postfix.spec | 43 ++++++++++++++++++++++++++----------------- postfix.tmpfiles | 16 ++++++++++++++++ 3 files changed, 52 insertions(+), 23 deletions(-) create mode 100644 postfix.tmpfiles diff --git a/postfix.service b/postfix.service index 1016ac3..d8ce880 100644 --- a/postfix.service +++ b/postfix.service @@ -11,12 +11,16 @@ PrivateTmp=true CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE ProtectSystem=true PrivateDevices=true -ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid -ExecStartPre=-/usr/libexec/postfix/aliasesdb -ExecStartPre=-/usr/libexec/postfix/chroot-update -ExecStart=/usr/sbin/postfix start -ExecReload=/usr/sbin/postfix reload -ExecStop=/usr/sbin/postfix stop +ExecStartPre=!-/usr/sbin/restorecon -R /var/spool/postfix/pid +ExecStartPre=!-/usr/libexec/postfix/aliasesdb +ExecStartPre=!-/usr/libexec/postfix/chroot-update +ExecStart=!/usr/sbin/postfix start +ExecReload=!/usr/sbin/postfix reload +ExecStop=!/usr/sbin/postfix stop +User=postfix +Group=root +StateDirectory=postfix +StateDirectoryMode=0700 [Install] WantedBy=multi-user.target diff --git a/postfix.spec b/postfix.spec index 9f34d6f..7f5dbc0 100644 --- a/postfix.spec +++ b/postfix.spec @@ -57,7 +57,7 @@ Name: postfix Summary: Postfix Mail Transport Agent Version: 3.8.5 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 2 URL: http://www.postfix.org License: (IPL-1.0 OR EPL-2.0) AND GPL-2.0-or-later AND BSD-4-Clause-UC @@ -81,6 +81,7 @@ Source3: README-Postfix-SASL-RedHat.txt Source4: postfix.aliasesdb Source5: postfix-chroot-update Source6: postfix.sysusers +Source7: postfix.tmpfiles # Sources 50-99 are upstream [patch] contributions @@ -426,6 +427,9 @@ install -m 755 %{SOURCE5} %{buildroot}%{postfix_daemon_dir}/chroot-update # systemd-sysusers install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/postfix.conf +# systemd-tmpfiles +install -p -D -m 0644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/postfix.conf + install -c auxiliary/rmail/rmail $RPM_BUILD_ROOT%{_bindir}/rmail.postfix for i in active bounce corrupt defer deferred flush incoming private saved maildrop public pid saved trace; do @@ -642,6 +646,7 @@ fi %config(noreplace) %{sasl_config_dir}/smtpd.conf %endif %config(noreplace) %{_sysconfdir}/pam.d/smtp.postfix +%{_tmpfilesdir}/postfix.conf %{_unitdir}/postfix.service # Documentation @@ -670,23 +675,23 @@ fi %dir %attr(0755, root, root) %{postfix_config_dir} %dir %attr(0755, root, root) %{postfix_daemon_dir} -%dir %attr(0755, root, root) %{postfix_queue_dir} +%ghost %dir %attr(0755, root, root) %{postfix_queue_dir} %dir %attr(0755, root, root) %{postfix_shlib_dir} -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/active -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/bounce -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/corrupt -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/defer -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/deferred -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/flush -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/hold -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/incoming -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/saved -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/trace -%dir %attr(0730, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/maildrop -%dir %attr(0755, root, root) %{postfix_queue_dir}/pid -%dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/private -%dir %attr(0710, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/public -%dir %attr(0700, %{postfix_user}, root) %{postfix_data_dir} +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/active +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/bounce +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/corrupt +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/defer +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/deferred +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/flush +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/hold +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/incoming +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/saved +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/trace +%ghost %dir %attr(0730, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/maildrop +%ghost %dir %attr(0755, root, root) %{postfix_queue_dir}/pid +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_queue_dir}/private +%ghost %dir %attr(0710, %{postfix_user}, %{maildrop_group}) %{postfix_queue_dir}/public +%ghost %dir %attr(0700, %{postfix_user}, root) %{postfix_data_dir} %dir %attr(0755, root, root) %{postfix_config_dir}/dynamicmaps.cf.d %dir %attr(0755, root, root) %{postfix_config_dir}/postfix-files.d @@ -846,6 +851,10 @@ fi %endif %changelog +* Thu Jun 25 2026 Jaroslav Škarvada - 2:3.8.5-11 +- Used workarounds for /var to support Image mode + Resolves: RHEL-104882 + * Thu May 21 2026 Fedor Vorobev - 2:3.8.5-10 - Fix for CVE-2026-43964: buffer over-read via malformed enhanced status code. Resolves: RHEL-176547 diff --git a/postfix.tmpfiles b/postfix.tmpfiles new file mode 100644 index 0000000..567af18 --- /dev/null +++ b/postfix.tmpfiles @@ -0,0 +1,16 @@ +# postfix spool +d /var/spool/postfix 0755 root root - +d /var/spool/postfix/active 0700 postfix root - +d /var/spool/postfix/bounce 0700 postfix root - +d /var/spool/postfix/corrupt 0700 postfix root - +d /var/spool/postfix/defer 0700 postfix root - +d /var/spool/postfix/deferred 0700 postfix root - +d /var/spool/postfix/flush 0700 postfix root - +d /var/spool/postfix/hold 0700 postfix root - +d /var/spool/postfix/incoming 0700 postfix root - +d /var/spool/postfix/saved 0700 postfix root - +d /var/spool/postfix/trace 0700 postfix root - +d /var/spool/postfix/maildrop 0730 postfix postdrop - +d /var/spool/postfix/pid 0755 root root - +d /var/spool/postfix/private 0700 postfix root - +d /var/spool/postfix/public 0710 postfix postdrop -