Description of problem: On Fedora 24, amavisd-new will not start unless disable selinux Version-Release number of selected component (if applicable): amavisd-new-2.10.1-7.fc24.noarch How reproducible: always Steps to Reproduce: 1. systemctl start amavisd 2. sudo journalctl -xe 3. See selinux prevented writing on /var/spool/amavisd/db, and numerous other accesses required for amavisd to start Actual results: amavisd does not run unless selinux is disabled Expected results: amavisd should not be prevented from running by selinux policy Additional info: Please fix this before the final release.
amavisd-new does not deliver any SELinux policy. Reassigning to selinux-policy component.
SELinux is preventing (amavisd) from execute_no_trans access on the file /usr/sbin/amavisd. ***** Plugin catchall (100. confidence) suggests ************************** If cree que de manera predeterminada, (amavisd) debería permitir acceso execute_no_trans sobre amavisd file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do allow this access for now by executing: # ausearch -c '(amavisd)' --raw | audit2allow -M my-amavisd # semodule -X 300 -i my-amavisd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:antivirus_exec_t:s0 Target Objects /usr/sbin/amavisd [ file ] Source (amavisd) Source Path (amavisd) Port <Unknown> Host argon Source RPM Packages Target RPM Packages amavisd-new-2.10.1-7.fc24.noarch Policy RPM selinux-policy-3.13.1-190.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May 19 13:05:32 UTC 2016 x86_64 x86_64 Alert Count 10 First Seen 2016-06-16 10:26:00 CEST Last Seen 2016-06-16 11:06:05 CEST Local ID 15a5aba5-49c1-45f8-ace2-850bf58f3527 Raw Audit Messages type=AVC msg=audit(1466067965.229:629): avc: denied { execute_no_trans } for pid=2376 comm="(amavisd)" path="/usr/sbin/amavisd" dev="dm-0" ino=17305787 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=0 Hash: (amavisd),init_t,antivirus_exec_t,file,execute_no_trans
I get execute_no_trans denials in another custom service launched from systemd which worked just fine in F23. Is there a policy regression?
The directive NoNewPrivileges=true in the service unit is causing this issue. As a workaround do: systemctl edit --full amavisd.service And remove the NoNewPrivileges line. I'm going to push an update with this change.
amavisd-new-2.11.0-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-96c47aa82b
amavisd-new-2.11.0-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-96c47aa82b
amavisd-new-2.11.0-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.