1358805 – SELinux is preventing (amavisd) from mounton access on the directory /etc

Bug 1358805 - SELinux is preventing (amavisd) from mounton access on the directory /etc

Summary: SELinux is preventing (amavisd) from mounton access on the directory /etc

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-21 14:01 UTC by Anthony Messina
Modified:	2016-08-24 16:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-16 16:26:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Anthony Messina 2016-07-21 14:01:45 UTC

Starting Clean amavisd quarantine folder...
Starting Clean amavisd tmp folder...

AVC avc:  denied  { mounton } for  pid=16123 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
AVC avc:  denied  { mounton } for  pid=16122 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0

Started Clean amavisd quarantine folder.
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Started Clean amavisd tmp folder.
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

SELinux is preventing (amavisd) from mounton access on the directory /etc. For complete SELinux messages. run sealert -l 194bfe9e-4e87-41c2-91eb-954506ff9865
SELinux is preventing (amavisd) from mounton access on the directory /etc.

Comment 1 Matt Kinni 2016-07-24 20:42:33 UTC

Same thing for me on a fresh install of Fedora 24.

After trying to "systemctl start amavisd.service", the following avc denials get logged:

type=AVC msg=audit(1469391217.586:189): avc:  denied  { mounton } for  pid=857 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391220.034:194): avc:  denied  { mounton } for  pid=871 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391222.051:199): avc:  denied  { mounton } for  pid=889 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391224.036:203): avc:  denied  { mounton } for  pid=904 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391226.293:208): avc:  denied  { mounton } for  pid=915 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391228.036:212): avc:  denied  { mounton } for  pid=930 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469391230.031:217): avc:  denied  { mounton } for  pid=941 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392828.600:130): avc:  denied  { mounton } for  pid=660 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392831.599:135): avc:  denied  { mounton } for  pid=694 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392834.076:141): avc:  denied  { mounton } for  pid=717 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392836.596:146): avc:  denied  { mounton } for  pid=736 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392838.814:152): avc:  denied  { mounton } for  pid=754 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392840.897:158): avc:  denied  { mounton } for  pid=770 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392842.967:164): avc:  denied  { mounton } for  pid=787 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392845.059:170): avc:  denied  { mounton } for  pid=806 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1469392847.318:175): avc:  denied  { mounton } for  pid=827 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0

Comment 2 Alan Hamilton 2016-08-05 18:56:23 UTC

Looks like it's missing a rule to transition from init_t to antivirus_t. Amavisd ends up running as init_t. If I run in permissive mode:

system_u:system_r:init_t:s0     amavis    1920     1  0 11:28 ?        00:00:01 /usr/sbin/amavisd (master)
system_u:system_r:init_t:s0     amavis    1921  1920  0 11:28 ?        00:00:04 /usr/sbin/amavisd (ch15-avail)
system_u:system_r:init_t:s0     amavis    1922  1920  0 11:28 ?        00:00:04 /usr/sbin/amavisd (ch17-avail)

Comment 3 Alan Hamilton 2016-08-17 03:17:43 UTC

I'm afraid I'm still seeing it with selinux-policy-targeted-3.13.1-191.10.fc24.noarch. amavisd is still not transitioning from init_t to antivirus_t. This is running in permissive mode:

type=SELINUX_ERR msg=audit(1471403360.719:9671): op=security_bounded_transition
seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:syste
m_r:antivirus_t:s0
type=AVC msg=audit(1471403360.719:9672): avc:  denied  { execute_no_trans } for
 pid=10298 comm="(amavisd)" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 scont
ext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403360.721:9673): avc:  denied  { ioctl } for  pid=10298 comm="amavisd" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 ioctlcmd=5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403361.676:9674): avc:  denied  { create } for  pid=10300 comm="/usr/sbin/amavi" name="amavisd.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1471403361.676:9675): avc:  denied  { write } for  pid=10300 comm="/usr/sbin/amavi" path="/run/amavisd/amavisd.pid" dev="tmpfs" ino=225714 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1

Comment 4 Alan Hamilton 2016-08-24 16:25:30 UTC

Just FYI, the issue was a custom unit file in /etc/systemd/system. Resting the context on it didn't work, but copying the new unit file from /usr/lib/systemd/system and re-customizing it did. I'm not sure exactly what was wrong with the old file to prevent the transisition (it was from F23).

Note You need to log in before you can comment on or make changes to this bug.