1404213 – postfix generating SELinux AVCs when IPv6 disabled

Bug 1404213 - postfix generating SELinux AVCs when IPv6 disabled

Summary: postfix generating SELinux AVCs when IPv6 disabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1122832 1420851
TreeView+	depends on / blocked

Reported:	2016-12-13 11:32 UTC by Marko Myllynen
Modified:	2020-09-10 10:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:20:12 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description Marko Myllynen 2016-12-13 11:32:14 UTC

Description of problem:
With the default main.cf which has:

# Enable IPv4, and IPv6 if supported
inet_protocols = all

Booting with ipv6.disable=1 we can see constant AVCs:

type=AVC msg=audit(1481628221.412:81): avc:  denied  { module_request } for  pid=1597 comm="postfix" kmod="net-pf-10" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628221.815:84): avc:  denied  { module_request } for  pid=1773 comm="postsuper" kmod="net-pf-10" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628222.002:92): avc:  denied  { module_request } for  pid=1874 comm="qmgr" kmod="net-pf-10" scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1481628222.010:94): avc:  denied  { module_request } for  pid=1873 comm="pickup" kmod="net-pf-10" scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Please close this if you consider this being a configuration issue (but given the comment in the configuration file this might be something to adjust). Thanks.

Comment 1 Marko Myllynen 2016-12-13 11:36:13 UTC

Actually, I see similar AVC from PCP and chronyd as well. Re-assigning to selinux-policy, probably best to fix there (if at all). Thanks.

Comment 6 Lukas Vrabec 2017-03-23 10:55:54 UTC

Thank you Marko, 
This AVC will be dontaudited.

Comment 9 errata-xmlrpc 2017-08-01 15:20:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.