Starting Clean amavisd quarantine folder... Starting Clean amavisd tmp folder... AVC avc: denied { mounton } for pid=16123 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 AVC avc: denied { mounton } for pid=16122 comm="(tmpwatch)" path="/etc" dev="md1" ino=57915649 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Started Clean amavisd quarantine folder. SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-quarantine comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Started Clean amavisd tmp folder. SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=amavisd-clean-tmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' SELinux is preventing (amavisd) from mounton access on the directory /etc. For complete SELinux messages. run sealert -l 194bfe9e-4e87-41c2-91eb-954506ff9865 SELinux is preventing (amavisd) from mounton access on the directory /etc.
Same thing for me on a fresh install of Fedora 24. After trying to "systemctl start amavisd.service", the following avc denials get logged: type=AVC msg=audit(1469391217.586:189): avc: denied { mounton } for pid=857 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391220.034:194): avc: denied { mounton } for pid=871 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391222.051:199): avc: denied { mounton } for pid=889 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391224.036:203): avc: denied { mounton } for pid=904 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391226.293:208): avc: denied { mounton } for pid=915 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391228.036:212): avc: denied { mounton } for pid=930 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469391230.031:217): avc: denied { mounton } for pid=941 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392828.600:130): avc: denied { mounton } for pid=660 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392831.599:135): avc: denied { mounton } for pid=694 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392834.076:141): avc: denied { mounton } for pid=717 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392836.596:146): avc: denied { mounton } for pid=736 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392838.814:152): avc: denied { mounton } for pid=754 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392840.897:158): avc: denied { mounton } for pid=770 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392842.967:164): avc: denied { mounton } for pid=787 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392845.059:170): avc: denied { mounton } for pid=806 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1469392847.318:175): avc: denied { mounton } for pid=827 comm="(amavisd)" path="/etc" dev="vda1" ino=131074 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Looks like it's missing a rule to transition from init_t to antivirus_t. Amavisd ends up running as init_t. If I run in permissive mode: system_u:system_r:init_t:s0 amavis 1920 1 0 11:28 ? 00:00:01 /usr/sbin/amavisd (master) system_u:system_r:init_t:s0 amavis 1921 1920 0 11:28 ? 00:00:04 /usr/sbin/amavisd (ch15-avail) system_u:system_r:init_t:s0 amavis 1922 1920 0 11:28 ? 00:00:04 /usr/sbin/amavisd (ch17-avail)
I'm afraid I'm still seeing it with selinux-policy-targeted-3.13.1-191.10.fc24.noarch. amavisd is still not transitioning from init_t to antivirus_t. This is running in permissive mode: type=SELINUX_ERR msg=audit(1471403360.719:9671): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:syste m_r:antivirus_t:s0 type=AVC msg=audit(1471403360.719:9672): avc: denied { execute_no_trans } for pid=10298 comm="(amavisd)" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 scont ext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1471403360.721:9673): avc: denied { ioctl } for pid=10298 comm="amavisd" path="/usr/sbin/amavisd" dev="xvda1" ino=14629 ioctlcmd=5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1471403361.676:9674): avc: denied { create } for pid=10300 comm="/usr/sbin/amavi" name="amavisd.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1471403361.676:9675): avc: denied { write } for pid=10300 comm="/usr/sbin/amavi" path="/run/amavisd/amavisd.pid" dev="tmpfs" ino=225714 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:antivirus_var_run_t:s0 tclass=file permissive=1
Just FYI, the issue was a custom unit file in /etc/systemd/system. Resting the context on it didn't work, but copying the new unit file from /usr/lib/systemd/system and re-customizing it did. I'm not sure exactly what was wrong with the old file to prevent the transisition (it was from F23).