787841 – SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A.

Bug 787841 - SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A.

Summary: SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on t...

Keywords:
Status:	CLOSED DUPLICATE of bug 788829
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f2466b175b9321fd9d0aa13c37f...
Duplicates (1):	787842 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-06 22:02 UTC by Nicolas Mailhot
Modified:	2012-02-13 08:55 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-13 08:55:11 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
boot avcs (171.28 KB, text/plain) 2012-02-07 19:06 UTC, Nicolas Mailhot	no flags	Details
View All

Description Nicolas Mailhot 2012-02-06 22:02:58 UTC

libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc2.git4.1.fc17.x86_64
reason:         SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A.
time:           lun. 06 févr. 2012 22:54:25 CET

description:
:SELinux is preventing /usr/libexec/postfix/local from 'getattr' accesses on the None /var/spool/postfix/active/EB0A96F8A.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that local should be allowed getattr access on the EB0A96F8A <Inconnu> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep local /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:postfix_local_t:s0
:Target Context                system_u:object_r:postfix_spool_maildrop_t:s0
:Target Objects                /var/spool/postfix/active/EB0A96F8A [ None ]
:Source                        local
:Source Path                   /usr/libexec/postfix/local
:Port                          <Inconnu>
:Host                          (removed)
:Source RPM Packages           postfix-2.9.0-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-82.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-0.rc2.git4.1.fc17.x86_64 #1
:                              SMP Mon Feb 6 17:53:24 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    lun. 06 févr. 2012 22:52:34 CET
:Last Seen                     lun. 06 févr. 2012 22:52:34 CET
:Local ID                      120b5e70-c309-41d0-8fde-eee9cde49afb
:
:Raw Audit Messages
:type=AVC msg=audit(1328565154.469:153): avc:  denied  { getattr } for  pid=1011 comm="local" path="/var/spool/postfix/active/EB0A96F8A" dev="dm-1" ino=28554 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1328565154.469:153): arch=c000003e syscall=6 success=no exit=-13 a0=7f236b32e340 a1=7fff967e23a0 a2=7fff967e23a0 a3=19 items=0 ppid=994 pid=1011 auid=4294967295 uid=0 gid=0 euid=89 suid=0 fsuid=89 egid=89 sgid=0 fsgid=89 tty=(none) ses=4294967295 comm="local" exe="/usr/libexec/postfix/local" subj=system_u:system_r:postfix_local_t:s0 key=(null)
:
:
:Hash: local,postfix_local_t,postfix_spool_maildrop_t,None,getattr
:
:audit2allow
:
:
:audit2allow -R
:
:

Comment 1 Miroslav Grepl 2012-02-07 11:23:03 UTC

*** Bug 787842 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2012-02-07 11:26:26 UTC

This is mislabeling.

$ restorecon -R -v /var/spool/postfix/active

please reopen if this happnes again. 

But a question is how it got this mislabeling.

Comment 3 Nicolas Mailhot 2012-02-07 11:48:43 UTC

(In reply to comment #2)
> This is mislabeling.
> 
> $ restorecon -R -v /var/spool/postfix/active
> 
> please reopen if this happnes again. 
> 
> But a question is how it got this mislabeling.

really, this is getting ridiculous
this avc happened after :
1. a full fixfile restore
2. followed by a fixfiles reboot + reboot

so the system had been relabelled *twice* before rebooting and getting this avc

(I'll note that part of the onboot relabelling failed because selinux is blocking itself when relabelling on boot now, but that shouldn't matter because the system was relabeled just before)

there is something seriously wrong in selinux or systemd if mislabeling occurs minutes after a double relabel

Comment 4 Miroslav Grepl 2012-02-07 11:57:00 UTC

$ matchpathcon /var/spool/postfix/active/EB0A96F8A
/var/spool/postfix/active/EB0A96F8A	system_u:object_r:postfix_spool_t:s0

What does

# setenforce 0
# fixfiles restore
# ausearch -m avc -ts recent

Comment 5 Nicolas Mailhot 2012-02-07 19:05:43 UTC

# rpm -qa selinux*|sort
selinux-policy-3.10.0-83.fc17.noarch
selinux-policy-targeted-3.10.0-83.fc17.noarch
# rpm -Va selinux-policy selinux-policy-targeted
...T.....  c /etc/selinux/targeted/contexts/files/file_contexts.local
# setenforce Permissive
# fixfiles restore
# /sbin/init 6
# setenforce Permissive
# grep -nr 'Initializing cgroup subsys cpuset' /var/log/messages | tail -1
515259:Feb  7 19:44:27 arekh kernel: [    0.000000] Initializing cgroup subsys cpuset
# ausearch -m avc -ts '19:44:27' > /tmp/boot.avc

Comment 6 Nicolas Mailhot 2012-02-07 19:06:18 UTC

Created attachment 560038 [details]
boot avcs

Comment 7 Daniel Walsh 2012-02-07 20:03:51 UTC

The sys_ptrace issues is a kernel bug.

Comment 8 Miroslav Grepl 2012-02-08 11:48:31 UTC

Well, maybe I know what is wrong.

What is your output of

$ matchpathcon /var/spool/postfix/active/EB0A96F8A

$ cat /etc/selinux/targeted/contexts/files/file_contexts.local

Comment 9 Nicolas Mailhot 2012-02-08 18:00:20 UTC

# matchpathcon /var/spool/postfix/active/EB0A96F8A
/var/spool/postfix/active/EB0A96F8A	system_u:object_r:postfix_spool_t:s0
# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# 

so maybe the file is correctly labelled now

I don't want really wan to retry a fixfiles reboot to check if it will mislable again (at least, not till the stupid selinux is blocking selinux relabel thing is fixed)

Comment 10 Daniel Walsh 2012-02-08 20:01:19 UTC

Nicolas You mean the hang on restorecon, because of the syslog race condition in systemd?

Comment 11 Nicolas Mailhot 2012-02-09 07:20:35 UTC

(In reply to comment #10)
> Nicolas You mean the hang on restorecon, because of the syslog race condition
> in systemd?

I mean all the avcs you get on boot if you do a touch /.autorelabel and reboot

By the time you realise something is wrong and press reset to retry with enforcing=0 selinux has plenty of opportunities to screw itself hard

Comment 12 Miroslav Grepl 2012-02-09 09:55:45 UTC

AVC messages, which you are getting, relate with a kernel bug as Dan wrote. I guess you are up-to-date? 

I am trying to setup a new F17 machine if I get similar behavior. I don't see it on my F17 machine.

Comment 13 Nicolas Mailhot 2012-02-09 20:26:53 UTC

I always try to test with the latest versions built for rawhide in koji before bothering you

[koji-rawhide-builds]
name=Fedora - Devel - Koji builds
baseurl=http://kojipkgs.fedoraproject.org/repos/dist-rawhide/latest/x86_64/
enabled=1
gpgcheck=0
cost=500


The autorelabel bug is unrelated to the ptrace kernel bug (I upgraded to the problem kernel during the this bug testing)

Comment 14 Nicolas Mailhot 2012-02-10 07:54:59 UTC

(In reply to comment #13)
> I always try to test with the latest versions built for rawhide in koji before
> bothering you

Today's tests: new systedmd/kernel/policy, new fixfiles restore, new blocking boot avcs :(
(can not log in if the system is booted in enforcing mode)


# dmesg|grep avc
[   15.608058] type=1400 audit(1328859423.614:3): avc:  denied  { sendto } for  pid=481 comm="systemd-cgroups" path="/run/systemd/journal/socket" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
[   15.697304] type=1400 audit(1328859423.703:4): avc:  denied  { ioctl } for  pid=482 comm="systemd-sysctl" path="socket:[10270]" dev="sockfs" ino=10270 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket
[   15.876187] type=1400 audit(1328859423.882:5): avc:  denied  { getattr } for  pid=493 comm="udevd" path="socket:[11269]" dev="sockfs" ino=11269 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

kernel-3.3.0-0.rc3.git0.2.fc18.x86_64
kernel-headers-3.3.0-0.rc3.git0.2.fc18.x86_64
kernel-tools-3.3.0-0.rc3.git0.2.fc18.x86_64
selinux-policy-3.10.0-85.fc17.noarch
selinux-policy-targeted-3.10.0-85.fc17.noarch
systemd-41-2.fc17.x86_64
systemd-analyze-41-2.fc17.x86_64
systemd-gtk-41-2.fc17.x86_64
systemd-sysv-41-2.fc17.x86_64
udev-181-2.fc17.x86_64

Comment 15 Miroslav Grepl 2012-02-13 08:55:11 UTC


*** This bug has been marked as a duplicate of bug 788829 ***

Note You need to log in before you can comment on or make changes to this bug.