Bug 1645667

Summary: mimedefang doesn't start after upgrading to f28
Product: [Fedora] Fedora Reporter: Morten Stevens <mstevens>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 28CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: selinux-policy-3.14.1-51.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-04 11:13:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Morten Stevens 2018-11-02 19:19:38 UTC
Description of problem:

MIMEDefang doesn't start after upgrading from F27 to F28.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. dnf install mimedefang
2. systemctl start mimedefang

Actual results:

type=AVC msg=audit(1541184173.313:171): avc:  denied  { dac_override } for  pid=1003 comm="mimedefang-wrap" capability=1  scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=capability permissive=0

Expected results:

no avc denied error

Comment 1 Milos Malik 2018-11-02 20:00:30 UTC
The same problem appears on Fedora 29 too:
type=PROCTITLE msg=audit(11/02/2018 20:57:57.393:3093) : proctitle=/bin/sh /usr/libexec/mimedefang-wrapper configtest 
type=PATH msg=audit(11/02/2018 20:57:57.393:3093) : item=0 name=/var/spool/MIMEDefang/ inode=112829 dev=fc:02 mode=dir,750 ouid=defang ogid=defang rdev=00:00 obj=system_u:object_r:spamd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(11/02/2018 20:57:57.393:3093) : cwd=/ 
type=SYSCALL msg=audit(11/02/2018 20:57:57.393:3093) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5645e29a3090 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=1 ppid=8973 pid=8975 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mimedefang-wrap exe=/usr/bin/bash subj=system_u:system_r:spamd_t:s0 key=(null) 
type=AVC msg=audit(11/02/2018 20:57:57.393:3093) : avc:  denied  { dac_override } for  pid=8975 comm=mimedefang-wrap capability=dac_override  scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:system_r:spamd_t:s0 tclass=capability permissive=0 

# rpm -qa selinux\* mime\* | sort

# ls -ld /var/spool/MIMEDefang/
drwxr-x---. 3 defang defang 20 Nov  2 20:57 /var/spool/MIMEDefang/
# ls -al /var/spool/MIMEDefang/
total 0
drwxr-x---.  3 defang defang  20 Nov  2 20:57 .
drwxr-xr-x. 13 root   root   164 Nov  2 20:57 ..
drwxr-x---.  2 defang defang  29 Nov  2 20:57 .razor

Comment 2 Morten Stevens 2019-01-04 15:17:09 UTC
Any news here?

Comment 3 Lukas Vrabec 2019-01-09 12:09:44 UTC
commit af97a96019b12369949d1f59cb40a5ca2b25073f (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Jan 9 13:09:29 2019 +0100

    Add dac_override capability to spamd_t domain BZ(1645667)

Comment 4 Fedora Update System 2019-01-13 15:43:10 UTC
selinux-policy-3.14.1-51.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e8a902b473

Comment 5 Fedora Update System 2019-01-14 02:22:25 UTC
selinux-policy-3.14.1-51.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e8a902b473

Comment 6 Fedora Update System 2019-02-04 11:13:15 UTC
selinux-policy-3.14.1-51.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.