Bug 1383867
Summary: | SELinux is preventing pickup from 'read' accesses on the lnk_file log. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Wolfgang Rupprecht <wolfgang.rupprecht> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 25 | CC: | alanh, amessina, awilliam, brian, buhrt, cfergeau, crash70, dominick.grift, dwalsh, error, esm, e.vanberkum, evoke, fed15ora, fedora, glandvador, gustavo, jorti, lvrabec, markito3, mgrepl, michel, mjw, mkardeh, mrunge, mtessun, olysonek, pfrields, plautrba, pmoore, rjt, rvdwees, santiago, viorel.tabara, wolfgang.rupprecht |
Target Milestone: | --- | Keywords: | CommonBugs |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:371c6e2d024d44d3bb297fac0a7786af79fcd6d12ff13d153aef806bc54eaaa5;VARIANT_ID=workstation; https://fedoraproject.org/wiki/Common_F25_bugs#postfix-log-avc | ||
Fixed In Version: | selinux-policy-3.13.1-225.1.fc25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-08 18:22:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Wolfgang Rupprecht
2016-10-12 02:29:45 UTC
Could you add your output of # ls -dZ /run /run/log/ command? Thank you. [root@tosca ~]# ls -dZ /run /run/log/ system_u:object_r:var_run_t:s0 /run system_u:object_r:syslogd_var_run_t:s0 /run/log/ This is a system that has been upgraded many times via dnf and whatever the previously approved online upgrade was called. It is entirely possible some directory permissions were grandfathered from previous versions of fedora. Description of problem: This just happened in the background while I was using the system as usual. Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport Daemons or manual sending of mail via the Postfix MTA is causing this issue. Having the issue since upgrading to Fedora 25. I can reproduce this multiple times SELinux is preventing pickup from read access on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pickup should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pickup' --raw | audit2allow -M my-pickup # semodule -X 300 -i my-pickup.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects log [ lnk_file ] Source pickup Source Path pickup Port <Unknown> Host *********** Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ********** Platform Linux ********* 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 20 First Seen 2016-11-23 08:31:29 CET Last Seen 2016-11-24 09:03:34 CET Local ID 1e404c6c-9298-4a2b-9061-d65ebe8a65d4 Raw Audit Messages type=AVC msg=audit(1479974614.521:228): avc: denied { read } for pid=1247 comm="pickup" name="log" dev="tmpfs" ino=23942 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Hash: pickup,postfix_pickup_t,tmpfs_t,lnk_file,read ls -dZ /run /run/log/ system_u:object_r:var_run_t:s0 /run system_u:object_r:syslogd_var_run_t:s0 /run/log/ I think this may affect many people running postfix on F25, so marking as CommonBugs. Could we get a fix, Lukas? Thanks. Yes, we can fix it. But I need to know reproducer and path "log" lnk_file. Is there something I could do to help on this? If so how? Happy to help. I did a strace on a mail command which generates this SELinux notification, but I don't see anything leading to lnk_file. Except this part. socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 8 connect(8, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied) Ed, Please run: # ls -Z /dev/log THanks. system_u:object_r:devlog_t:s0 /dev/log Do we have ani reproducer? Description of problem: sealert appeared after upgrading fedora 24 to 25 Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport I have the same ls -Z output. (In reply to Ronald Verbeek from comment #11) > Description of problem: > sealert appeared after upgrading fedora 24 to 25 > > > Additional info: > reporter: libreport-2.8.0 > hashmarkername: setroubleshoot > kernel: 4.8.8-300.fc25.x86_64 > type: libreport Lukas, I can reproduce it with any application able to send mail trough local postfix. Saw it yesterday after upgrade F24 to F25 thought it's an accident after upgrade, but noticed this morning again, notification created overnight caused by Logwatch. reproducible on CLI: echo "Test" | mail -s "Test" a *** Bug 1380883 has been marked as a duplicate of this bug. *** *** Bug 1383905 has been marked as a duplicate of this bug. *** *** Bug 1378121 has been marked as a duplicate of this bug. *** I get a ton of these just from booting up and running my mail server box: [root@mail /]# journalctl -b | grep AVC | head -25 Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[653]: AVC avc: denied { read } for pid=653 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc: denied { read } for pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc: denied { read } for pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[713]: AVC avc: denied { read } for pid=713 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[714]: AVC avc: denied { read } for pid=714 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[717]: AVC avc: denied { read } for pid=717 comm="qmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:46 mail.happyassassin.net audit[716]: AVC avc: denied { read } for pid=716 comm="pickup" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:47 mail.happyassassin.net audit[463]: AVC avc: denied { write } for pid=463 comm="spamd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[756]: AVC avc: denied { read } for pid=756 comm="proxymap" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[757]: AVC avc: denied { read } for pid=757 comm="tlsmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[758]: AVC avc: denied { read } for pid=758 comm="anvil" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 and they continue: [root@mail /]# journalctl -b | grep AVC | wc -l 222 (a few seconds later) [root@mail /]# journalctl -b | grep AVC | wc -l 234 /run/initramfs/log is called 'log' and is tmpfs_t , but I'm not sure why it'd need to touch that. Description of problem: After Upgrading to fed25 postfix seems to have some selinux issues in accessing its logfiles. This one is just representative for one postfix process, but postfix, qmgr, local, etc. have the very same selinux alert. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport Yes, it's definitely /dev/log. Something's happened to the policy for the Postfix modules. Running the modules from the command line doesn't catch it since they're running unconfined rather than in the Postfix contexts. I caught this using strace on the "local" Postfix process: 2640 connect(6, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Per mission denied) And got a corresponding avc: SELinux is preventing local from read access on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that local should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'local' --raw | audit2allow -M my-local # semodule -X 300 -i my-local.pp Additional Information: Source Context system_u:system_r:postfix_local_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects log [ lnk_file ] Source local Source Path local Port <Unknown> Host ---.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-224.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ---.com Platform Linux ---.com 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 5 First Seen 2016-11-26 14:46:52 MST Last Seen 2016-11-26 15:07:01 MST Local ID 1c4b1eb5-6151-4db2-b4a2-3f331ea26126 Raw Audit Messages type=AVC msg=audit(1480198021.599:386): avc: denied { read } for pid=2586 comm="local" name="log" dev="tmpfs" ino=76925 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Hash: local,postfix_local_t,tmpfs_t,lnk_file,read (In reply to Lukas Vrabec from comment #8) > Ed, > Please run: > # ls -Z /dev/log > > THanks. ~]# ls -lZ /dev/log lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 Nov 26 09:40 /dev/log -> /run/systemd/journal/dev-log I can confirm this issue on freshly installed Fedora 25 system (no upgrade). Steps to reproduce: 1. install Fedora from scratch 2. install postfix 3. setup basic config 4. systemctl start postfix.service Actual results: audit log fill up with read denied AVC messages. Expected results: no AVC messages The used main.cf works on Fedora 23 system without any issues. The AVCs are for multiple processes, i.e. newaliases/postalias/postfix/master/postsuper/postlog/pickup/pmgr. 2 different inodes are reported. Shared attributes are: name=log dev=tmpfs tclass=lnk_file PS: The `systemctl start postfix.service` doesn't fail, though. And on `systemctl stop postfix.service` similar read denied (name=log) AVCs are generated. When stracing the postfix master process during shutdown this happens: socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 20 connect(20, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied) close(20) In contrast, in permissive mode (i.e. `setenforce 0`) strace logs: sendto(3, "<22>Nov 27 19:13:38 postfix/mast"..., 67, MSG_NOSIGNAL, NULL, 0) = 67 And indeed, in permissive mode some postfix messages make it to the journal during start/stop - unlike enforcing mode, where no postfix messages show up. ~ # ls -Zl /dev/log lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 2016-11-27 00:00 /dev/log -> /run/systemd/journal/dev-log ~ # ls -Zl /run/systemd/journal/dev-log srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 2016-11-27 00:00 /run/systemd/journal/dev-log Description of problem: Updated from F24 to F25 and this is the security error I get even after remarking all objects on a reboot. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport bug #1398007, bug #1395018, bug #1386929 and bug #1386928 are probably all duplicates of this one (or this one is a duplicate of any of those bugs). I cannot find any link file labeled as tmpfs_t. But, postfix looks fine do you see any issues in enforcing mode? I can always dontaudit it. olysonek, Do you know, what is happening here? Postfix tries read "log" lnk_file. lvrabec: uh, Georg seems to have nailed things down quite precisely in #c22, and even pointed out the concrete consequence of the problem: "And indeed, in permissive mode some postfix messages make it to the journal during start/stop - unlike enforcing mode, where no postfix messages show up." Nevermind comment #20 ;) Lukas, isn't it that /dev/log is symlinked to /run/systemd/journal/dev-log (which is on tmpfs)? ~]# ls -lZ /dev/log lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 Nov 26 09:40 /dev/log -> /run/systemd/journal/dev-log Okay we have fix for this issue. postfix service file creating own mount-namespace. This means that, /dev is labeled as tmpfs_t in namespace. Adding following transition: type_transition init_t tmpfs_t : lnk_file devlog_t "log"; Fixes the issue. Moving to POST state, update will be available ASAP. *** Bug 1395018 has been marked as a duplicate of this bug. *** *** Bug 1386929 has been marked as a duplicate of this bug. *** *** Bug 1386928 has been marked as a duplicate of this bug. *** selinux-policy-3.13.1-225.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768 Description of problem: Not really sure what caused this. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.8-300.fc25.x86_64 type: libreport selinux-policy-3.13.1-225.fc25 fixes the postfix warnings I was seeing. Description of problem: systemctl start postfix produces several SELinux alerts: Dec 1 15:21:05 eagle systemd: Starting Postfix Mail Transport Agent... Dec 1 15:21:05 eagle audit: AVC avc: denied { read } for pid=7173 comm="postfix" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:05 eagle audit: AVC avc: denied { read } for pid=7179 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:05 eagle audit: AVC avc: denied { read } for pid=7213 comm="postsuper" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:05 eagle audit: AVC avc: denied { read } for pid=7213 comm="postsuper" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle audit: AVC avc: denied { read } for pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle audit: AVC avc: denied { read } for pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle audit: AVC avc: denied { read } for pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle audit: AVC avc: denied { read } for pid=7239 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle audit: AVC avc: denied { read } for pid=7240 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Dec 1 15:21:06 eagle systemd: Started Postfix Mail Transport Agent. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport (In reply to W Agtail from comment #35) > Description of problem: > systemctl start postfix produces several SELinux alerts: > [...] > > Version-Release number of selected component: > selinux-policy-3.13.1-224.fc25.noarch You should upgrade to latest in testing. See above comments. (In reply to Viorel Tabara from comment #36) > (In reply to W Agtail from comment #35) > > Description of problem: > > systemctl start postfix produces several SELinux alerts: > > > [...] > > > > Version-Release number of selected component: > > selinux-policy-3.13.1-224.fc25.noarch > > You should upgrade to latest in testing. See above comments. I don't see this in testing, even as of right now. https://muug.ca/mirror/fedora/linux/updates/testing/25/x86_64/s/ (In reply to Brian J. Murrell from comment #37) > I don't see this in testing, even as of right now. All mirrors will get updated, eventually. Follow the Bodhi link in c#32 and download RPMs manually from Koji: omiday ~ $ koji search rpm "selinux*225.fc25*" selinux-policy-3.13.1-225.fc25.src.rpm selinux-policy-3.13.1-225.fc25.noarch.rpm selinux-policy-devel-3.13.1-225.fc25.noarch.rpm selinux-policy-doc-3.13.1-225.fc25.noarch.rpm selinux-policy-minimum-3.13.1-225.fc25.noarch.rpm selinux-policy-mls-3.13.1-225.fc25.noarch.rpm selinux-policy-sandbox-3.13.1-225.fc25.noarch.rpm selinux-policy-targeted-3.13.1-225.fc25.noarch.rpm selinux-policy-3.13.1-225.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768 Description of problem: Upgraded from F24 to F25 Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972 Description of problem: Started postfix. sudo systemctl start postfix Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport Description of problem: Looks like a policy for some postfix functionality is missing in F25. Version-Release number of selected component: selinux-policy-3.13.1-224.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.10-300.fc25.x86_64 type: libreport selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972 I can confirm the bug has been fixed in selinux-policy-3.13.1-225.1.fc25 and I do have proper output in my journalctl for postfix again! I have downloaded the files with koji-util ( package ) since it wasn't on the mirrors for me yet. And did a local dnf update of my selinux-policy-3.13.1-225.1.fc25 and selinux-policy-targeted.3.13.1-225.1.fc25 rpm's ( I have to note, on my first try I had some problems, and my system wasn't able to boot properly after updating these packages! ( it hang on the targeted policies during ), I disabled selinux in /etc/selinux/config, rebooted again, booted up fine, did a rollback to the older packages, set it to Enforcing selinux again, rebooted ( causing a relabel since I set it to Enforcing ) updated the same packages again, rebooted and all was fine! ). Can't reproduce this again since my second try was fine.... the package fixes the problem. +1 it fixes the problem. Ed, please remember to leave feedback and karma in bodhi as described in comment 44. That's where it really counts, as that's used to actually decide whether to push the update. selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. SELinux is preventing pickup from read access on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pickup should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'pickup' --raw | audit2allow -M my-pickup # semodule -X 300 -i my-pickup.pp Additional Information: Source Context system_u:system_r:postfix_pickup_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects log [ lnk_file ] Source pickup Source Path pickup Port <Unknown> Host pc.interlinx.bc.ca Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name pc.interlinx.bc.ca Platform Linux pc.interlinx.bc.ca 4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64 Alert Count 217 First Seen 2016-11-30 14:33:04 EST Last Seen 2016-12-09 07:11:23 EST Local ID c06a8cc0-0b20-466b-9283-54a7043946de Raw Audit Messages type=AVC msg=audit(1481285483.653:10495): avc: denied { read } for pid=6778 comm="pickup" name="log" dev="tmpfs" ino=27301 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Hash: pickup,postfix_pickup_t,tmpfs_t,lnk_file,read Notice the selinux-policy version above. *** Bug 1406352 has been marked as a duplicate of this bug. *** |