Description of problem: This problem is caused by using systemd-resolved + nss_resolve module. nss_resolve module connects to the system bus to talk to resolved, so any process which makes dns calls in any form needs system bus access SELinux is preventing exim from 'connectto' accesses on the unix_stream_socket /run/dbus/system_bus_socket. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that exim should be allowed connectto access on the system_bus_socket unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'exim' --raw | audit2allow -M my-exim # semodule -X 300 -i my-exim.pp Additional Information: Source Context system_u:system_r:exim_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 Target Objects /run/dbus/system_bus_socket [ unix_stream_socket ] Source exim Source Path exim Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-214.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc7.git0.1.fc25.x86_64 #1 SMP Mon Sep 19 15:24:06 UTC 2016 x86_64 x86_64 Alert Count 12 First Seen 2016-10-08 18:00:01 PDT Last Seen 2016-10-10 10:49:15 PDT Local ID cf67cd0a-9562-4de0-b686-3d877d3dc4be Raw Audit Messages type=AVC msg=audit(1476121755.699:388): avc: denied { connectto } for pid=11906 comm="exim" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:exim_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 Hash: exim,exim_t,system_dbusd_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-3.13.1-214.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc7.git0.1.fc25.x86_64 type: libreport
Lukas, it looks we will need to update sysnet_dns_name_resolve() interface to support this configuration.
https://github.com/fedora-selinux/selinux-policy/commit/821f1916e63afd1e5191740b8500c949166399d2
selinux-policy-3.13.1-220.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-213537f6e8
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e035472778
selinux-policy-3.13.1-220.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.