Bug 1404213 - postfix generating SELinux AVCs when IPv6 disabled
Summary: postfix generating SELinux AVCs when IPv6 disabled
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
Blocks: 1122832 1420851
TreeView+ depends on / blocked
Reported: 2016-12-13 11:32 UTC by Marko Myllynen
Modified: 2020-09-10 10:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 15:20:12 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Marko Myllynen 2016-12-13 11:32:14 UTC
Description of problem:
With the default main.cf which has:

# Enable IPv4, and IPv6 if supported
inet_protocols = all

Booting with ipv6.disable=1 we can see constant AVCs:

type=AVC msg=audit(1481628221.412:81): avc:  denied  { module_request } for  pid=1597 comm="postfix" kmod="net-pf-10" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628221.815:84): avc:  denied  { module_request } for  pid=1773 comm="postsuper" kmod="net-pf-10" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628222.002:92): avc:  denied  { module_request } for  pid=1874 comm="qmgr" kmod="net-pf-10" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628222.010:94): avc:  denied  { module_request } for  pid=1873 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Please close this if you consider this being a configuration issue (but given the comment in the configuration file this might be something to adjust). Thanks.

Comment 1 Marko Myllynen 2016-12-13 11:36:13 UTC
Actually, I see similar AVC from PCP and chronyd as well. Re-assigning to selinux-policy, probably best to fix there (if at all). Thanks.

Comment 6 Lukas Vrabec 2017-03-23 10:55:54 UTC
Thank you Marko, 
This AVC will be dontaudited.

Comment 9 errata-xmlrpc 2017-08-01 15:20:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.