libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-0.rc2.git4.1.fc17.x86_64 reason: SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A. time: lun. 06 févr. 2012 22:54:25 CET description: :SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that local should be allowed getattr access on the EB0A96F8A <Inconnu> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep local /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:postfix_local_t:s0 :Target Context system_u:object_r:postfix_spool_maildrop_t:s0 :Target Objects /var/spool/postfix/active/EB0A96F8A [ None ] :Source local :Source Path /usr/libexec/postfix/local :Port <Inconnu> :Host (removed) :Source RPM Packages postfix-2.9.0-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-82.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.0-0.rc2.git4.1.fc17.x86_64 #1 : SMP Mon Feb 6 17:53:24 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen lun. 06 févr. 2012 22:52:34 CET :Last Seen lun. 06 févr. 2012 22:52:34 CET :Local ID 120b5e70-c309-41d0-8fde-eee9cde49afb : :Raw Audit Messages :type=AVC msg=audit(1328565154.469:153): avc: denied { getattr } for pid=1011 comm="local" path="/var/spool/postfix/active/EB0A96F8A" dev="dm-1" ino=28554 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1328565154.469:153): arch=c000003e syscall=6 success=no exit=-13 a0=7f236b32e340 a1=7fff967e23a0 a2=7fff967e23a0 a3=19 items=0 ppid=994 pid=1011 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null) : : :Hash: local,postfix_local_t,postfix_spool_maildrop_t,None,getattr : :audit2allow : : :audit2allow -R : :
*** Bug 787842 has been marked as a duplicate of this bug. ***
This is mislabeling. $ restorecon -R -v /var/spool/postfix/active please reopen if this happnes again. But a question is how it got this mislabeling.
(In reply to comment #2) > This is mislabeling. > > $ restorecon -R -v /var/spool/postfix/active > > please reopen if this happnes again. > > But a question is how it got this mislabeling. really, this is getting ridiculous this avc happened after : 1. a full fixfile restore 2. followed by a fixfiles reboot + reboot so the system had been relabelled *twice* before rebooting and getting this avc (I'll note that part of the onboot relabelling failed because selinux is blocking itself when relabelling on boot now, but that shouldn't matter because the system was relabeled just before) there is something seriously wrong in selinux or systemd if mislabeling occurs minutes after a double relabel
$ matchpathcon /var/spool/postfix/active/EB0A96F8A /var/spool/postfix/active/EB0A96F8A system_u:object_r:postfix_spool_t:s0 What does # setenforce 0 # fixfiles restore # ausearch -m avc -ts recent
# rpm -qa selinux*|sort selinux-policy-3.10.0-83.fc17.noarch selinux-policy-targeted-3.10.0-83.fc17.noarch # rpm -Va selinux-policy selinux-policy-targeted ...T..... c /etc/selinux/targeted/contexts/files/file_contexts.local # setenforce Permissive # fixfiles restore # /sbin/init 6 # setenforce Permissive # grep -nr 'Initializing cgroup subsys cpuset' /var/log/messages | tail -1 515259:Feb 7 19:44:27 arekh kernel: [ 0.000000] Initializing cgroup subsys cpuset # ausearch -m avc -ts '19:44:27' > /tmp/boot.avc
Created attachment 560038 [details] boot avcs
The sys_ptrace issues is a kernel bug.
Well, maybe I know what is wrong. What is your output of $ matchpathcon /var/spool/postfix/active/EB0A96F8A $ cat /etc/selinux/targeted/contexts/files/file_contexts.local
# matchpathcon /var/spool/postfix/active/EB0A96F8A /var/spool/postfix/active/EB0A96F8A system_u:object_r:postfix_spool_t:s0 # cat /etc/selinux/targeted/contexts/files/file_contexts.local # so maybe the file is correctly labelled now I don't want really wan to retry a fixfiles reboot to check if it will mislable again (at least, not till the stupid selinux is blocking selinux relabel thing is fixed)
Nicolas You mean the hang on restorecon, because of the syslog race condition in systemd?
(In reply to comment #10) > Nicolas You mean the hang on restorecon, because of the syslog race condition > in systemd? I mean all the avcs you get on boot if you do a touch /.autorelabel and reboot By the time you realise something is wrong and press reset to retry with enforcing=0 selinux has plenty of opportunities to screw itself hard
AVC messages, which you are getting, relate with a kernel bug as Dan wrote. I guess you are up-to-date? I am trying to setup a new F17 machine if I get similar behavior. I don't see it on my F17 machine.
I always try to test with the latest versions built for rawhide in koji before bothering you [koji-rawhide-builds] name=Fedora - Devel - Koji builds baseurl=http://kojipkgs.fedoraproject.org/repos/dist-rawhide/latest/x86_64/ enabled=1 gpgcheck=0 cost=500 The autorelabel bug is unrelated to the ptrace kernel bug (I upgraded to the problem kernel during the this bug testing)
(In reply to comment #13) > I always try to test with the latest versions built for rawhide in koji before > bothering you Today's tests: new systedmd/kernel/policy, new fixfiles restore, new blocking boot avcs :( (can not log in if the system is booted in enforcing mode) # dmesg|grep avc [ 15.608058] type=1400 audit(1328859423.614:3): avc: denied { sendto } for pid=481 comm="systemd-cgroups" path="/run/systemd/journal/socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket [ 15.697304] type=1400 audit(1328859423.703:4): avc: denied { ioctl } for pid=482 comm="systemd-sysctl" path="socket:[10270]" dev="sockfs" ino=10270 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket [ 15.876187] type=1400 audit(1328859423.882:5): avc: denied { getattr } for pid=493 comm="udevd" path="socket:[11269]" dev="sockfs" ino=11269 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket kernel-3.3.0-0.rc3.git0.2.fc18.x86_64 kernel-headers-3.3.0-0.rc3.git0.2.fc18.x86_64 kernel-tools-3.3.0-0.rc3.git0.2.fc18.x86_64 selinux-policy-3.10.0-85.fc17.noarch selinux-policy-targeted-3.10.0-85.fc17.noarch systemd-41-2.fc17.x86_64 systemd-analyze-41-2.fc17.x86_64 systemd-gtk-41-2.fc17.x86_64 systemd-sysv-41-2.fc17.x86_64 udev-181-2.fc17.x86_64
*** This bug has been marked as a duplicate of bug 788829 ***