Bug 1474218

Summary: SELinux is preventing (tmpwatch) from execute_no_trans access on the file /usr/sbin/tmpwatch.
Product: [Fedora] Fedora Reporter: Dick Marinus <dick>
Component: amavisd-newAssignee: Juan Orti Alcaine <jorti>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: jorti, perl-devel, steve, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: amavisd-new-2.11.0-7.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-31 06:24:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dick Marinus 2017-07-24 07:30:29 UTC
Raw Audit Messages
type=AVC msg=audit(1500839721.237:221753): avc:  denied  { execute_no_trans } for  pid=4712 comm="(tmpwatch)" path="/usr/sbin/tmpwatch" dev="sda3" ino=24769913 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpreaper_exec_t:s0 tclass=file permissive=0


Hash: (tmpwatch),init_t,tmpreaper_exec_t,file,execute_no_trans

audit2allow output:

module tmpwatch 1.0;

require {
	type tmpreaper_exec_t;
	type init_t;
	class file execute_no_trans;
}

#============= init_t ==============
allow init_t tmpreaper_exec_t:file execute_no_trans;

Comment 1 Dick Marinus 2017-07-24 07:35:02 UTC
oh I think tmpwatch is called from amavisd-new

Comment 2 Juan Orti Alcaine 2017-07-24 10:43:56 UTC
This is because of bug #1468846, basically PrivateDevices=true is unusable in F26.

Please, test this update:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-7705a5aa55

Comment 3 Fedora Update System 2017-07-24 11:53:42 UTC
amavisd-new-2.11.0-7.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7705a5aa55

Comment 4 Fedora Update System 2017-07-31 06:24:33 UTC
amavisd-new-2.11.0-7.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.