Bug 787841
Summary: | SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas Mailhot <nicolas.mailhot> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | rawhide | CC: | dominick.grift, dwalsh, mgrepl | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Unspecified | ||||||
Whiteboard: | abrt_hash:f2466b175b9321fd9d0aa13c37f5b78a47fa045d6b811bb04a591e21d33bbf52 | ||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-02-13 08:55:11 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Nicolas Mailhot
2012-02-06 22:02:58 UTC
*** Bug 787842 has been marked as a duplicate of this bug. *** This is mislabeling. $ restorecon -R -v /var/spool/postfix/active please reopen if this happnes again. But a question is how it got this mislabeling. (In reply to comment #2) > This is mislabeling. > > $ restorecon -R -v /var/spool/postfix/active > > please reopen if this happnes again. > > But a question is how it got this mislabeling. really, this is getting ridiculous this avc happened after : 1. a full fixfile restore 2. followed by a fixfiles reboot + reboot so the system had been relabelled *twice* before rebooting and getting this avc (I'll note that part of the onboot relabelling failed because selinux is blocking itself when relabelling on boot now, but that shouldn't matter because the system was relabeled just before) there is something seriously wrong in selinux or systemd if mislabeling occurs minutes after a double relabel $ matchpathcon /var/spool/postfix/active/EB0A96F8A /var/spool/postfix/active/EB0A96F8A system_u:object_r:postfix_spool_t:s0 What does # setenforce 0 # fixfiles restore # ausearch -m avc -ts recent # rpm -qa selinux*|sort selinux-policy-3.10.0-83.fc17.noarch selinux-policy-targeted-3.10.0-83.fc17.noarch # rpm -Va selinux-policy selinux-policy-targeted ...T..... c /etc/selinux/targeted/contexts/files/file_contexts.local # setenforce Permissive # fixfiles restore # /sbin/init 6 # setenforce Permissive # grep -nr 'Initializing cgroup subsys cpuset' /var/log/messages | tail -1 515259:Feb 7 19:44:27 arekh kernel: [ 0.000000] Initializing cgroup subsys cpuset # ausearch -m avc -ts '19:44:27' > /tmp/boot.avc Created attachment 560038 [details]
boot avcs
The sys_ptrace issues is a kernel bug. Well, maybe I know what is wrong. What is your output of $ matchpathcon /var/spool/postfix/active/EB0A96F8A $ cat /etc/selinux/targeted/contexts/files/file_contexts.local # matchpathcon /var/spool/postfix/active/EB0A96F8A /var/spool/postfix/active/EB0A96F8A system_u:object_r:postfix_spool_t:s0 # cat /etc/selinux/targeted/contexts/files/file_contexts.local # so maybe the file is correctly labelled now I don't want really wan to retry a fixfiles reboot to check if it will mislable again (at least, not till the stupid selinux is blocking selinux relabel thing is fixed) Nicolas You mean the hang on restorecon, because of the syslog race condition in systemd? (In reply to comment #10) > Nicolas You mean the hang on restorecon, because of the syslog race condition > in systemd? I mean all the avcs you get on boot if you do a touch /.autorelabel and reboot By the time you realise something is wrong and press reset to retry with enforcing=0 selinux has plenty of opportunities to screw itself hard AVC messages, which you are getting, relate with a kernel bug as Dan wrote. I guess you are up-to-date? I am trying to setup a new F17 machine if I get similar behavior. I don't see it on my F17 machine. I always try to test with the latest versions built for rawhide in koji before bothering you [koji-rawhide-builds] name=Fedora - Devel - Koji builds baseurl=http://kojipkgs.fedoraproject.org/repos/dist-rawhide/latest/x86_64/ enabled=1 gpgcheck=0 cost=500 The autorelabel bug is unrelated to the ptrace kernel bug (I upgraded to the problem kernel during the this bug testing) (In reply to comment #13) > I always try to test with the latest versions built for rawhide in koji before > bothering you Today's tests: new systedmd/kernel/policy, new fixfiles restore, new blocking boot avcs :( (can not log in if the system is booted in enforcing mode) # dmesg|grep avc [ 15.608058] type=1400 audit(1328859423.614:3): avc: denied { sendto } for pid=481 comm="systemd-cgroups" path="/run/systemd/journal/socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket [ 15.697304] type=1400 audit(1328859423.703:4): avc: denied { ioctl } for pid=482 comm="systemd-sysctl" path="socket:[10270]" dev="sockfs" ino=10270 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket [ 15.876187] type=1400 audit(1328859423.882:5): avc: denied { getattr } for pid=493 comm="udevd" path="socket:[11269]" dev="sockfs" ino=11269 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket kernel-3.3.0-0.rc3.git0.2.fc18.x86_64 kernel-headers-3.3.0-0.rc3.git0.2.fc18.x86_64 kernel-tools-3.3.0-0.rc3.git0.2.fc18.x86_64 selinux-policy-3.10.0-85.fc17.noarch selinux-policy-targeted-3.10.0-85.fc17.noarch systemd-41-2.fc17.x86_64 systemd-analyze-41-2.fc17.x86_64 systemd-gtk-41-2.fc17.x86_64 systemd-sysv-41-2.fc17.x86_64 udev-181-2.fc17.x86_64 *** This bug has been marked as a duplicate of bug 788829 *** |