Bug 1358805
| Summary: | SELinux is preventing (amavisd) from mounton access on the directory /etc | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 24 | CC: | alanh, dwalsh, edgar.hoch, lvrabec, matt |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-16 16:26:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Same thing for me on a fresh install of Fedora 24.
After trying to "systemctl start amavisd.service", the following avc denials get logged:
type=AVC msg=audit(1469391217.586:189): avc: denied { mounton } for pid=857 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391220.034:194): avc: denied { mounton } for pid=871 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391222.051:199): avc: denied { mounton } for pid=889 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391224.036:203): avc: denied { mounton } for pid=904 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391226.293:208): avc: denied { mounton } for pid=915 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391228.036:212): avc: denied { mounton } for pid=930 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391230.031:217): avc: denied { mounton } for pid=941 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392828.600:130): avc: denied { mounton } for pid=660 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392831.599:135): avc: denied { mounton } for pid=694 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392834.076:141): avc: denied { mounton } for pid=717 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392836.596:146): avc: denied { mounton } for pid=736 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392838.814:152): avc: denied { mounton } for pid=754 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392840.897:158): avc: denied { mounton } for pid=770 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392842.967:164): avc: denied { mounton } for pid=787 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392845.059:170): avc: denied { mounton } for pid=806 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392847.318:175): avc: denied { mounton } for pid=827 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Looks like it's missing a rule to transition from init_t to antivirus_t. Amavisd ends up running as init_t. If I run in permissive mode: system_u:system_r:init_t:s0 amavis 1920 1 0 11:28 ? 00:00:01 /usr/sbin/amavisd (master) system_u:system_r:init_t:s0 amavis 1921 1920 0 11:28 ? 00:00:04 /usr/sbin/amavisd (ch15-avail) system_u:system_r:init_t:s0 amavis 1922 1920 0 11:28 ? 00:00:04 /usr/sbin/amavisd (ch17-avail) I'm afraid I'm still seeing it with selinux-policy-targeted-3.13.1-191.10.fc24.noarch. amavisd is still not transitioning from init_t to antivirus_t. This is running in permissive mode:
type=SELINUX_ERR msg=audit(1471403360.719:9671): op=security_bounded_transition
seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:syste
m_r:antivirus_t:s0
type=AVC msg=audit(1471403360.719:9672): avc: denied { execute_no_trans } for
pid=10298 comm="(amavisd)" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 scont
ext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403360.721:9673): avc: denied { ioctl } for pid=10298 comm="amavisd" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 ioctlcmd=5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403361.676:9674): avc: denied { create } for pid=10300 comm="/usr/sbin/amavi" name="amavisd.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403361.676:9675): avc: denied { write } for pid=10300 comm="/usr/sbin/amavi" path="/run/amavisd/amavisd.pid" dev="tmpfs" ino=225714 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1
Just FYI, the issue was a custom unit file in /etc/systemd/system. Resting the context on it didn't work, but copying the new unit file from /usr/lib/systemd/system and re-customizing it did. I'm not sure exactly what was wrong with the old file to prevent the transisition (it was from F23). |
Starting Clean amavisd quarantine folder... Starting Clean amavisd tmp folder... AVC avc: denied { mounton } for pid=16123 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 AVC avc: denied { mounton } for pid=16122 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Started Clean amavisd quarantine folder. SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Started Clean amavisd tmp folder. SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SELinux is preventing (amavisd) from mounton access on the directory /etc. For complete SELinux messages. run sealert -l 194bfe9e-4e87-41c2-91eb-954506ff9865 SELinux is preventing (amavisd) from mounton access on the directory /etc.