| Summary: | SELinux is preventing postgrey from execute access on the file /usr/bin/perl | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Eduard Kohler <glandvador> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 28 | CC: | alan, amessina, dwalsh, jorti, lvrabec, nphilipp, redhat, uckelman |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-29 11:39:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I can confirm this bug. Same problem here. postgrey daemon will not start via systemd. Worked in Fedora 23 before. Need info? Can I help somehow? Greets Jens I can confirm this also affects F25. Yes, this also affects F25.
SELinux is preventing postgrey from execute access on the file /usr/bin/perl.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that postgrey should be allowed execute access on the perl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey
# semodule -X 300 -i my-postgrey.pp
Additional Information:
Source Context system_u:system_r:postgrey_t:s0
Target Context system_u:object_r:bin_t:s0
Target Objects /usr/bin/perl [ file ]
Source postgrey
Source Path postgrey
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages perl-5.24.0-379.fc25.x86_64
Policy RPM selinux-policy-3.13.1-225.3.fc25.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.8.12-300.fc25.x86_64 #1 SMP Fri Dec
2 17:52:11 UTC 2016 x86_64 x86_64
Alert Count 17
First Seen 2016-12-14 09:36:15 CET
Last Seen 2016-12-14 09:46:37 CET
Local ID 25fcb7f9-fee3-4407-93b9-517fcebebc6a
Raw Audit Messages
type=AVC msg=audit(1481705197.392:21601): avc: denied { execute } for pid=23650 comm="postgrey" path="/usr/bin/perl" dev="dm-0" ino=8583290 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Hash: postgrey,postgrey_t,bin_t,file,execute
Same here, ping? selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. I have encountered this bug again after upgrading F27->F28. Same cause, same fix. # rpm -q selinux-policy selinux-policy-3.14.2-54.fc29.noarch # audit2allow -i avc #============= postgrey_t ============== #!!!! This avc is allowed in the current policy allow postgrey_t bin_t:file execute; It's fixed in F29 |
Description of problem: SELinux is preventing postgrey from execute access on the file /usr/bin/perl. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that postgrey should be allowed execute access on the perl file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey # semodule -X 300 -i my-postgrey.pp Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/perl [ file ] Source postgrey Source Path postgrey Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages perl-5.22.2-362.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.19.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name some.example.net Platform Linux some.example.net 4.8.4-200.fc24.x86_64 #1 SMP Tue Oct 25 13:06:04 UTC 2016 x86_64 x86_64 Alert Count 15 First Seen 2016-10-27 21:23:12 CEST Last Seen 2016-10-27 21:23:10 CEST Local ID 59de0ad0-ee95-4917-a65e-9af80c19879b Raw Audit Messages type=AVC msg=audit(1477596190.320:64): avc: denied { execute } for pid=443 comm="postgrey" path="/usr/bin/perl" dev="sda3" ino=398754 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: postgrey,postgrey_t,bin_t,file,execute