Description of problem: SELinux is preventing postgrey from execute access on the file /usr/bin/perl. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that postgrey should be allowed execute access on the perl file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey # semodule -X 300 -i my-postgrey.pp Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/perl [ file ] Source postgrey Source Path postgrey Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages perl-5.22.2-362.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.19.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name some.example.net Platform Linux some.example.net 4.8.4-200.fc24.x86_64 #1 SMP Tue Oct 25 13:06:04 UTC 2016 x86_64 x86_64 Alert Count 15 First Seen 2016-10-27 21:23:12 CEST Last Seen 2016-10-27 21:23:10 CEST Local ID 59de0ad0-ee95-4917-a65e-9af80c19879b Raw Audit Messages type=AVC msg=audit(1477596190.320:64): avc: denied { execute } for pid=443 comm="postgrey" path="/usr/bin/perl" dev="sda3" ino=398754 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: postgrey,postgrey_t,bin_t,file,execute
I can confirm this bug. Same problem here. postgrey daemon will not start via systemd. Worked in Fedora 23 before. Need info? Can I help somehow? Greets Jens
I can confirm this also affects F25.
Yes, this also affects F25. SELinux is preventing postgrey from execute access on the file /usr/bin/perl. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that postgrey should be allowed execute access on the perl file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey # semodule -X 300 -i my-postgrey.pp Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/perl [ file ] Source postgrey Source Path postgrey Port <Unknown> Host argon Source RPM Packages Target RPM Packages perl-5.24.0-379.fc25.x86_64 Policy RPM selinux-policy-3.13.1-225.3.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.8.12-300.fc25.x86_64 #1 SMP Fri Dec 2 17:52:11 UTC 2016 x86_64 x86_64 Alert Count 17 First Seen 2016-12-14 09:36:15 CET Last Seen 2016-12-14 09:46:37 CET Local ID 25fcb7f9-fee3-4407-93b9-517fcebebc6a Raw Audit Messages type=AVC msg=audit(1481705197.392:21601): avc: denied { execute } for pid=23650 comm="postgrey" path="/usr/bin/perl" dev="dm-0" ino=8583290 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Hash: postgrey,postgrey_t,bin_t,file,execute
Same here, ping?
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
I have encountered this bug again after upgrading F27->F28. Same cause, same fix.
# rpm -q selinux-policy selinux-policy-3.14.2-54.fc29.noarch # audit2allow -i avc #============= postgrey_t ============== #!!!! This avc is allowed in the current policy allow postgrey_t bin_t:file execute; It's fixed in F29