Bug 1346766
| Summary: | amavisd-new selinux policies prevent it running | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nick Urbanik <nicku> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | dominick.grift, dwalsh, jorti, lvrabec, mgrepl, perl-devel, plautrba, steve, vanmeeuwen+fedora |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-29 12:55:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nick Urbanik
2016-06-15 10:19:08 UTC
amavisd-new does not deliver any SELinux policy. Reassigning to selinux-policy component. SELinux is preventing (amavisd) from execute_no_trans access on the file /usr/sbin/amavisd.
***** Plugin catchall (100. confidence) suggests **************************
If cree que de manera predeterminada, (amavisd) debería permitir acceso execute_no_trans sobre amavisd file.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
allow this access for now by executing:
# ausearch -c '(amavisd)' --raw | audit2allow -M my-amavisd
# semodule -X 300 -i my-amavisd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:antivirus_exec_t:s0
Target Objects /usr/sbin/amavisd [ file ]
Source (amavisd)
Source Path (amavisd)
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages amavisd-new-2.10.1-7.fc24.noarch
Policy RPM selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count 10
First Seen 2016-06-16 10:26:00 CEST
Last Seen 2016-06-16 11:06:05 CEST
Local ID 15a5aba5-49c1-45f8-ace2-850bf58f3527
Raw Audit Messages
type=AVC msg=audit(1466067965.229:629): avc: denied { execute_no_trans } for pid=2376 comm="(amavisd)" path="/usr/sbin/amavisd" dev="dm-0" ino=17305787 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=0
Hash: (amavisd),init_t,antivirus_exec_t,file,execute_no_trans
I get execute_no_trans denials in another custom service launched from systemd which worked just fine in F23. Is there a policy regression? The directive NoNewPrivileges=true in the service unit is causing this issue. As a workaround do: systemctl edit --full amavisd.service And remove the NoNewPrivileges line. I'm going to push an update with this change. amavisd-new-2.11.0-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-96c47aa82b amavisd-new-2.11.0-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-96c47aa82b amavisd-new-2.11.0-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |