1389882 – SELinux is preventing postgrey from execute access on the file /usr/bin/perl

Bug 1389882 - SELinux is preventing postgrey from execute access on the file /usr/bin/perl

Summary: SELinux is preventing postgrey from execute access on the file /usr/bin/perl

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-29 09:25 UTC by Eduard Kohler
Modified:	2019-04-29 11:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-29 11:39:24 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eduard Kohler 2016-10-29 09:25:38 UTC

Description of problem:
SELinux is preventing postgrey from execute access on the file /usr/bin/perl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that postgrey should be allowed execute access on the perl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey
# semodule -X 300 -i my-postgrey.pp


Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/perl [ file ]
Source                        postgrey
Source Path                   postgrey
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           perl-5.22.2-362.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-191.19.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     some.example.net
Platform                      Linux some.example.net 4.8.4-200.fc24.x86_64 #1
                              SMP Tue Oct 25 13:06:04 UTC 2016 x86_64 x86_64
Alert Count                   15
First Seen                    2016-10-27 21:23:12 CEST
Last Seen                     2016-10-27 21:23:10 CEST
Local ID                      59de0ad0-ee95-4917-a65e-9af80c19879b

Raw Audit Messages
type=AVC msg=audit(1477596190.320:64): avc:  denied  { execute } for  pid=443 comm="postgrey" path="/usr/bin/perl" dev="sda3" ino=398754 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: postgrey,postgrey_t,bin_t,file,execute

Comment 1 Jens Kleineheismann 2016-11-09 09:04:41 UTC

I can confirm this bug. Same problem here.
postgrey daemon will not start via systemd.
Worked in Fedora 23 before.

Need info? Can I help somehow?

Greets
  Jens

Comment 2 Anthony Messina 2016-12-10 01:08:13 UTC

I can confirm this also affects F25.

Comment 3 Juan Orti 2016-12-14 08:51:15 UTC

Yes, this also affects F25.
                                                                                
SELinux is preventing postgrey from execute access on the file /usr/bin/perl.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that postgrey should be allowed execute access on the perl file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'postgrey' --raw | audit2allow -M my-postgrey
# semodule -X 300 -i my-postgrey.pp


Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/bin/perl [ file ]
Source                        postgrey
Source Path                   postgrey
Port                          <Unknown>
Host                          argon
Source RPM Packages           
Target RPM Packages           perl-5.24.0-379.fc25.x86_64
Policy RPM                    selinux-policy-3.13.1-225.3.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.8.12-300.fc25.x86_64 #1 SMP Fri Dec
                              2 17:52:11 UTC 2016 x86_64 x86_64
Alert Count                   17
First Seen                    2016-12-14 09:36:15 CET
Last Seen                     2016-12-14 09:46:37 CET
Local ID                      25fcb7f9-fee3-4407-93b9-517fcebebc6a

Raw Audit Messages
type=AVC msg=audit(1481705197.392:21601): avc:  denied  { execute } for  pid=23650 comm="postgrey" path="/usr/bin/perl" dev="dm-0" ino=8583290 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Hash: postgrey,postgrey_t,bin_t,file,execute

Comment 4 Nils Philippsen 2017-03-10 12:41:38 UTC

Same here, ping?

Comment 5 Fedora Update System 2017-08-14 15:22:43 UTC

selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 6 Fedora Update System 2017-08-15 03:51:35 UTC

selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a

Comment 7 Fedora Update System 2017-08-27 06:22:33 UTC

selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-09-01 09:35:20 UTC

selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee

Comment 9 Fedora Update System 2017-09-03 06:25:24 UTC

selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee

Comment 10 Fedora Update System 2017-09-07 23:20:44 UTC

selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Alan Olsen 2018-06-04 04:29:43 UTC

I have encountered this bug again after upgrading F27->F28. Same cause, same fix.

Comment 12 Lukas Vrabec 2019-04-29 11:39:24 UTC

# rpm -q selinux-policy
selinux-policy-3.14.2-54.fc29.noarch

# audit2allow -i avc 

#============= postgrey_t ==============

#!!!! This avc is allowed in the current policy
allow postgrey_t bin_t:file execute;

It's fixed in F29

Note You need to log in before you can comment on or make changes to this bug.