Control: reassign -1 systemd
On 13.08.2025 14:12, Guillem Jover wrote:
Package: postfix
Version: 3.10.3-2
Severity: normal
Hi!
On a system with postfix and systemd, I started to get audit log spam
after I upgraded systemd earlier today to version 258~rc2-2.
The message that repeats every minute (I think), reads like this:
,---
audit: type=1326 audit(1755082451.348:443): auid=4294967295 uid=0 gid=136 ses=4294967295
subj=unconfined pid=1436139 comm="pickup" exe="/usr/lib/postfix/sbin/pickup"
sig=31 arch=c000003e syscall=428 compat=0 ip=0x7f32deee0747 code=0x80000000
`---
The syscall 428 on Linux amd64 is open_tree, so adding that to the
systemd service file in SystemCallFilter:
SystemCallFilter=@system-service @setuid chroot open_tree
Appears to fix the issue. Although I'm not sure whether this is
something that started with the new systemd upload or was a
pre-existing problem (perhaps even affecting Debian trixie?).
No.
Simple restarting postfix fixes the issue.
The problem is that nss_systemd (actually most of systemd, but
nss-systemd is the important component here) started using open_tree instead
of openat. At the same time, they updated @system-service set to
include this syscall (so adding it as you suggest isn't needed).
Postfix is sort of unique since it executes other binaries after
startup. These binaries run under old syscall filter, which didn't
include open_tree. But new nss-systemd -uses this syscall. So
you're getting errors.
https://github.com/systemd/systemd/commit/aac21825cd45ee998695504b7b8b881bac2a44c2
Simple restart of the postfix service fixes it, since the new filter
is applied.
There's nothing postfix can do here. Also, there's nothing systemd
can do here either, it looks like - this issue is already fixed by
a simple restart of postfix.
Thanks,
/mjt
