Bug 1409107 - SELinux prevents Postfix from starting
Summary: SELinux prevents Postfix from starting
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-29 14:44 UTC by Michael Cronenworth
Modified: 2022-04-01 06:07 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-26 09:31:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Full list of AVCs emitted from postfix (1.23 KB, text/plain)
2017-02-01 16:52 UTC, Michael Cronenworth 		no flags Details
Additional AVCs emitted after postfix startup (2.95 KB, text/plain)
2017-02-01 16:56 UTC, Michael Cronenworth 		no flags Details
Jan / #31 - logs and stuff (11.45 KB, text/plain)
2018-04-05 14:19 UTC, Jan 		no flags Details
View All

Description Michael Cronenworth 2016-12-29 14:44:54 UTC 
I thought I would wait a little while before filing this bug thinking I can't be the only person using postfix on Fedora, but it appears I am...

SELinux is preventing postfix from search access on the directory dev.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow postfix to have search access on the dev directory
Then you need to change the label on dev
Do
# semanage fcontext -a -t FILE_TYPE 'dev'
where FILE_TYPE is one of the following: NetworkManager_var_run_t, abrt_var_run_t, admin_home_t, aiccu_var_run_t, ajaxterm_var_run_t, alsa_var_run_t, anon_inodefs_t, antivirus_db_t, antivirus_var_run_t, apcupsd_var_run_t, apmd_var_run_t, arpwatch_var_run_t, asterisk_var_run_t, audisp_var_run_t, audit_spool_t, auditd_log_t, auditd_var_run_t, autofs_t, automount_tmp_t, automount_var_run_t, avahi_var_run_t, bacula_store_t, bacula_var_run_t, bcfg2_var_run_t, bin_t, binfmt_misc_fs_t, bitlbee_var_run_t, blkmapd_var_run_t, blktap_var_run_t, blueman_var_run_t, bluetooth_var_run_t, boot_t, bootloader_var_run_t, brltty_var_run_t, bumblebee_var_run_t, cachefilesd_var_run_t, callweaver_var_run_t, canna_var_run_t, capifs_t, cardmgr_var_run_t, ccs_var_run_t, cephfs_t, cert_t, certmaster_var_run_t, certmonger_var_run_t, cgred_var_run_t, cgroup_t, chronyd_var_run_t, cifs_t, cinder_var_run_t, clogd_var_run_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t, clvmd_var_run_t, cmirrord_var_run_t, cockpit_var_run_t, collectd_var_run_t, comsat_var_run_t, condor_var_run_t, conman_var_run_t, consolekit_var_run_t, container_file_t, container_ro_file_t, couchdb_var_run_t, courier_var_run_t, cpu_online_t, cpuplug_var_run_t, cpuspeed_var_run_t, cron_var_run_t, crond_var_run_t, ctdbd_var_run_t, cupsd_config_var_run_t, cupsd_lpd_var_run_t, cupsd_var_run_t, cvs_var_run_t, cyphesis_var_run_t, cyrus_var_lib_t, cyrus_var_run_t, dbskkd_var_run_t, dcc_var_run_t, dccd_var_run_t, dccifd_var_run_t, dccm_var_run_t, dcerpcd_var_run_t, ddclient_var_run_t, debugfs_t, default_context_t, default_t, deltacloudd_var_run_t, device_t, devicekit_var_run_t, devpts_t, dhcpc_var_run_t, dhcpd_var_run_t, dictd_var_run_t, dirsrv_snmp_var_run_t, dirsrv_var_run_t, dkim_milter_data_t, dlm_controld_var_run_t, dnsmasq_var_run_t, dnssec_t, dnssec_trigger_var_run_t, dosfs_t, dovecot_var_run_t, drbd_var_run_t, dspam_var_run_t, ecryptfs_t, efivarfs_t, entropyd_var_run_t, etc_aliases_t, etc_mail_t, etc_runtime_t, etc_t, eventlogd_var_run_t, evtchnd_var_run_t, exim_var_run_t, fail2ban_var_lib_t, fail2ban_var_run_t, fcoemon_var_run_t, fenced_var_run_t, fetchmail_var_run_t, file_context_t, fingerd_var_run_t, firewalld_var_run_t, foghorn_var_run_t, fonts_cache_t, fonts_t, freeipmi_bmc_watchdog_var_run_t, freeipmi_ipmidetectd_var_run_t, freeipmi_ipmiseld_var_run_t, fsadm_var_run_t, fsdaemon_var_run_t, ftpd_var_run_t, fusefs_t, games_srv_var_run_t, gdomap_var_run_t, gear_var_run_t, getty_var_run_t, gfs_controld_var_run_t, glance_var_run_t, glusterd_var_run_t, gpm_var_run_t, gpsd_var_run_t, greylist_milter_data_t, groupd_var_run_t, gssproxy_var_run_t, haproxy_var_run_t, home_root_t, hostapd_var_run_t, httpd_sys_content_t, httpd_var_run_t, hugetlbfs_t, hwloc_var_run_t, icecast_var_run_t, ifconfig_var_run_t, inetd_child_var_run_t, inetd_var_run_t, init_var_run_t, initrc_tmp_t, initrc_var_run_t, innd_var_run_t, insmod_var_run_t, ipa_var_run_t, ipmievd_var_run_t, ipsec_mgmt_var_run_t, ipsec_var_run_t, iptables_var_lib_t, iptables_var_run_t, irqbalance_var_run_t, iscsi_var_run_t, isnsd_var_run_t, iso9660_t, iwhd_var_run_t, jetty_var_run_t, kadmind_var_run_t, kdbusfs_t, keepalived_var_run_t, keystone_var_run_t, kismet_var_run_t, klogd_var_run_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_var_run_t, ksmtuned_var_run_t, l2tpd_var_run_t, lib_t, likewise_var_lib_t, lircd_var_run_t, lldpad_var_run_t, locale_t, locate_var_run_t, logwatch_var_run_t, lost_found_t, lpd_var_run_t, lsassd_var_run_t, lsmd_var_run_t, lttng_sessiond_var_run_t, lvm_var_run_t, lwiod_var_run_t, lwregd_var_run_t, lwsmd_var_run_t, mail_home_t, mail_spool_t, mailman_data_t, mailman_log_t, mailman_var_run_t, man_cache_t, man_t, mandb_cache_t, mcelog_var_run_t, mdadm_var_run_t, memcached_var_run_t, minidlna_var_run_t, minissdpd_var_run_t, mirrormanager_var_run_t, mnt_t, mock_var_run_t, mon_statd_var_run_t, mongod_var_run_t, motion_var_run_t, mount_var_run_t, mpd_var_run_t, mqueue_spool_t, mrtg_var_run_t, mscan_var_run_t, munin_var_run_t, mysqld_db_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, naemon_var_run_t, nagios_var_run_t, named_conf_t, named_var_run_t, net_conf_t, netlogond_var_run_t, neutron_var_run_t, news_spool_t, nfs_t, nfsd_fs_t, ninfod_run_t, nmbd_var_run_t, nova_var_run_t, nrpe_var_run_t, nscd_var_run_t, nsd_var_run_t, nslcd_var_run_t, ntop_var_run_t, ntpd_var_run_t, numad_var_run_t, nut_var_run_t, nx_server_var_run_t, oddjob_var_run_t, onload_fs_t, openct_var_run_t, opendnssec_var_run_t, openhpid_var_run_t, openshift_tmp_t, openshift_var_lib_t, openshift_var_run_t, openvpn_var_run_t, openvswitch_var_run_t, openwsman_run_t, oracleasmfs_t, osad_var_run_t, pads_var_run_t, pam_var_console_t, pam_var_run_t, passenger_var_run_t, pcp_var_run_t, pcscd_var_run_t, pdns_var_run_t, pegasus_openlmi_storage_var_run_t, pegasus_var_run_t, pesign_var_run_t, piranha_fos_var_run_t, piranha_lvs_var_run_t, piranha_pulse_var_run_t, piranha_web_var_run_t, pkcs11proxyd_var_run_t, pkcs_slotd_var_run_t, pki_ra_var_run_t, pki_tomcat_var_run_t, pki_tps_var_run_t, plymouthd_var_run_t, policykit_var_run_t, polipo_pid_t, portmap_var_run_t, portreserve_var_run_t, postfix_data_t, postfix_etc_t, postfix_private_t, postfix_public_t, postfix_spool_bounce_t, postfix_spool_t, postfix_var_run_t, postgresql_var_run_t, postgrey_spool_t, postgrey_var_run_t, pppd_var_run_t, pptp_var_run_t, prelude_audisp_var_run_t, prelude_lml_var_run_t, prelude_var_run_t, privoxy_var_run_t, proc_t, proc_xen_t, prosody_var_run_t, psad_var_run_t, pstore_t, ptal_var_run_t, public_content_rw_t, public_content_t, pulseaudio_var_run_t, puppet_var_run_t, pwauth_var_run_t, pyicqt_var_run_t, qdiskd_var_run_t, qemu_var_run_t, qpidd_var_run_t, quota_nld_var_run_t, rabbitmq_var_run_t, radiusd_var_run_t, radvd_var_run_t, ramfs_t, random_seed_t, readahead_var_run_t, redis_var_run_t, regex_milter_data_t, removable_t, restorecond_var_run_t, rhev_agentd_var_run_t, rhnsd_var_run_t, rhsmcertd_var_run_t, ricci_modcluster_var_run_t, ricci_var_run_t, rkhunter_var_lib_t, rlogind_var_run_t, rngd_var_run_t, root_t, roundup_var_run_t, rpc_pipefs_t, rpcbind_var_run_t, rpcd_var_run_t, rpm_log_t, rpm_script_tmp_t, rpm_var_run_t, rsync_var_run_t, rtas_errd_var_run_t, samba_etc_t, samba_var_t, sanlock_var_run_t, saslauthd_var_run_t, sbd_var_run_t, sblim_var_run_t, screen_var_run_t, security_t, selinux_config_t, sendmail_var_run_t, sensord_var_run_t, setrans_var_run_t, setroubleshoot_var_run_t, shell_exec_t, slapd_var_run_t, slpd_var_run_t, smbd_var_run_t, smokeping_var_run_t, smsd_var_run_t, snmpd_var_run_t, snort_var_run_t, sosreport_tmp_t, sosreport_var_run_t, soundd_var_run_t, spamass_milter_data_t, spamd_var_run_t, spufs_t, squid_var_run_t, src_t, srvsvcd_var_run_t, sshd_var_run_t, sslh_var_run_t, sssd_public_t, sssd_var_lib_t, sssd_var_run_t, stapserver_var_run_t, stunnel_var_run_t, svnserve_var_run_t, swat_var_run_t, swift_var_run_t, sysctl_fs_t, sysctl_t, sysfs_t, syslogd_var_run_t, system_conf_t, system_cronjob_var_run_t, system_db_t, system_dbusd_var_run_t, systemd_logind_inhibit_var_run_t, systemd_logind_sessions_t, systemd_logind_var_run_t, systemd_machined_var_run_t, systemd_networkd_var_run_t, systemd_passwd_var_run_t, systemd_resolved_var_run_t, sysv_t, telnetd_var_run_t, textrel_shlib_t, tftpd_var_run_t, tgtd_var_run_t, thin_aeolus_configserver_var_run_t, thin_var_run_t, timemaster_var_run_t, tlp_var_run_t, tmp_t, tmpfs_t, tomcat_var_run_t, tor_var_lib_t, tor_var_log_t, tor_var_run_t, tuned_var_run_t, udev_var_run_t, uml_switch_var_run_t, usbfs_t, usbmuxd_var_run_t, user_home_dir_t, user_home_t, user_tmp_t, useradd_var_run_t, usr_t, uucpd_var_run_t, uuidd_var_run_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t, var_spool_t, var_t, varnishd_var_run_t, varnishlog_var_run_t, vdagent_var_run_t, vhostmd_var_run_t, virt_image_t, virt_lxc_var_run_t, virt_qemu_ga_var_run_t, virt_var_lib_t, virt_var_run_t, virtlogd_var_run_t, vmblock_t, vmware_host_pid_t, vmware_pid_t, vnstatd_var_run_t, vpnc_var_run_t, vxfs_t, watchdog_var_run_t, wdmd_var_run_t, winbind_var_run_t, xdm_var_run_t, xenconsoled_var_run_t, xend_var_lib_t, xend_var_run_t, xenfs_t, xenstored_var_lib_t, xenstored_var_run_t, xserver_var_run_t, ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t, ypxfr_var_run_t, zabbix_var_run_t, zarafa_deliver_var_run_t, zarafa_gateway_var_run_t, zarafa_ical_var_run_t, zarafa_indexer_var_run_t, zarafa_monitor_var_run_t, zarafa_server_var_run_t, zarafa_spooler_var_run_t, zebra_var_run_t, zoneminder_var_run_t.
Then execute:
restorecon -v 'dev'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that postfix should be allowed search access on the dev directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'postfix' --raw | audit2allow -M my-postfix
# semodule -X 300 -i my-postfix.pp

Additional Information:
Source Context                system_u:system_r:postfix_master_t:s0
Target Context                unconfined_u:object_r:unlabeled_t:s0
Target Objects                dev [ dir ]
Source                        postfix
Source Path                   postfix
Port                          <Unknown>
Host                          mcronenworth.nhsrx.com
Source RPM Packages           
Target RPM Packages           filesystem-3.2-37.fc24.x86_64
Policy RPM                    selinux-policy-3.13.1-225.3.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mcronenworth.nhsrx.com
Platform                      Linux mcronenworth.nhsrx.com
                              4.8.15-300.fc25.x86_64 #1 SMP Thu Dec 15 23:10:23
                              UTC 2016 x86_64 x86_64
Alert Count                   82
First Seen                    2016-12-22 10:13:03 CST
Last Seen                     2016-12-29 08:42:53 CST
Local ID                      e6891bc0-f896-493f-99f2-8e79ec5ba352

Raw Audit Messages
type=AVC msg=audit(1483022573.25:132): avc:  denied  { search } for  pid=31890 comm="postlog" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0


Hash: postfix,postfix_master_t,unlabeled_t,dir,search
Comment 1 Lukas Vrabec 2017-01-08 20:26:52 UTC 
Please, run following command to fix your issue:
# restorecon -Rv /
Comment 2 Michael Cronenworth 2017-01-08 21:42:52 UTC 
I have, thanks. Before I opened this bug. Reopening.
Comment 3 Michael Cronenworth 2017-01-16 15:05:59 UTC 
Sorry. Issue has disappeared now so I cannot reproduce.
Comment 4 Michael Cronenworth 2017-01-23 14:56:54 UTC 
Reopening. I can reproduce it again.

System was rebooted and now I'm getting a denial. The same denial I originally reported.

type=AVC msg=audit(1485182604.381:132): avc:  denied  { search } for  pid=26553 comm="postlog" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

Running 'restorecon -Rv /' does *not* fix it.

postfix-3.1.4-1.fc25.x86_64
selinux-policy-3.13.1-225.6.fc25.noarch
Comment 5 Michael Cronenworth 2017-02-01 16:52:19 UTC 
Created attachment 1246744 [details]
Full list of AVCs emitted from postfix

I am attaching the full list of AVCs generated by a start attempt of postfix.

Creating a custom module that allows these AVCs allows postfix to start.
Comment 6 Michael Cronenworth 2017-02-01 16:53:06 UTC 
Here is the custom module type enforcement file:

module mypostfix 1.0;

require {
	type unlabeled_t;
	type postfix_master_t;
	class file { open read write };
	class dir { search write };
}

#============= postfix_master_t ==============

allow postfix_master_t unlabeled_t:dir { search write };
allow postfix_master_t unlabeled_t:file read;
allow postfix_master_t unlabeled_t:file { open write };
Comment 7 Michael Cronenworth 2017-02-01 16:56:44 UTC 
Created attachment 1246745 [details]
Additional AVCs emitted after postfix startup

There were 12 additional AVCs emitted once Postfix successfully started up.
Comment 8 Rudd-O DragonFear 2017-02-03 05:23:17 UTC 
A dupe: https://bugzilla.redhat.com/show_bug.cgi?id=1418908
Comment 9 Rudd-O DragonFear 2017-02-03 05:51:30 UTC 
The module type enforcement file you posted does not work for me.

postfix-3.1.4-1.fc25.x86_64
Comment 10 Daniel Walsh 2017-02-06 23:05:33 UTC 
Where is this postlog directory?  What does
ls -lZ /PATHTO/postlog show?
Comment 11 Michael Cronenworth 2017-02-07 17:12:17 UTC 
$ ls -lZ /usr/sbin/postlog
-rwxr-xr-x. 1 root root system_u:object_r:postfix_master_exec_t:s0 11392 Jan  2 11:21 /usr/sbin/postlog
# restorecon -Rv /usr/sbin/postlog
[no output]
$ ls -lZ /usr/sbin/postlog
-rwxr-xr-x. 1 root root system_u:object_r:postfix_master_exec_t:s0 11392 Jan  2 11:21 /usr/sbin/postlog
Comment 12 Manu Thambi 2017-02-18 23:36:41 UTC 
I see the same issue. I also notice that the inode in the sealert output is that of the underlying /dev directory in the root filesystem. 

ls -lZi /dev gives a different inode (probably from the devtmpfs mounted on top of the root filesystem).

Not sure whether it is relevant.
Comment 13 Fedora Update System 2017-08-14 15:21:39 UTC 
selinux-policy-3.13.1-225.20.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 14 Fedora Update System 2017-08-15 03:50:57 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-837f04c39a
Comment 15 Michael Cronenworth 2017-08-16 13:26:53 UTC 
This is NOT fixed by that update. Postfix STILL fails to start. Please test updates before issuing them.

Aug 16 08:25:04 foo.bar.com systemd[1]: Starting Postfix Mail Transport Agent...
Aug 16 08:25:05 foo.bar.com audit[17608]: AVC avc:  denied  { search } for  pid=17608 comm="postfix" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com audit[17608]: AVC avc:  denied  { search } for  pid=17608 comm="postfix-script" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com audit[17614]: AVC avc:  denied  { search } for  pid=17614 comm="postfix-script" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com audit[17614]: AVC avc:  denied  { search } for  pid=17614 comm="postfix-script" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com postfix[17608]: /usr/libexec/postfix/postfix-script: line 122: /dev/null: Permission denied
Aug 16 08:25:05 foo.bar.com audit[17615]: AVC avc:  denied  { search } for  pid=17615 comm="postlog" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com audit[17615]: AVC avc:  denied  { search } for  pid=17615 comm="postlog" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:05 foo.bar.com audit[17615]: AVC avc:  denied  { search } for  pid=17615 comm="postlog" name="dev" dev="sda2" ino=4980737 scontext=system_u:system_r:postfix_master_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
Aug 16 08:25:06 foo.bar.com systemd[1]: postfix.service: Control process exited, code=exited status=1
Aug 16 08:25:06 foo.bar.com systemd[1]: Failed to start Postfix Mail Transport Agent.
Comment 16 Fedora Update System 2017-08-27 06:21:57 UTC 
selinux-policy-3.13.1-225.20.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 Michael Cronenworth 2017-08-27 14:46:04 UTC 
Not fixed yet.
Comment 18 Fedora Update System 2017-09-01 09:34:31 UTC 
selinux-policy-3.13.1-225.22.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 19 Fedora Update System 2017-09-03 06:24:45 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d4f3635ee
Comment 20 Michael Cronenworth 2017-09-05 14:11:42 UTC 
Still not fixed.
Comment 21 Fedora Update System 2017-09-07 23:20:04 UTC 
selinux-policy-3.13.1-225.22.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Michael Cronenworth 2017-09-08 01:05:23 UTC 
Still not fixed.
Comment 23 Fedora Update System 2017-10-10 12:00:18 UTC 
selinux-policy-3.13.1-225.23.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 24 Fedora Update System 2017-10-11 04:22:00 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4d00e4db6a
Comment 25 Michael Cronenworth 2017-10-11 16:16:02 UTC 
This is still broken with the latest update. I have run 'restorecon' on /dev, /etc, /bin, and /sbin. The same AVC messages are output.
Comment 26 Fedora Update System 2017-11-01 16:39:08 UTC 
selinux-policy-3.13.1-225.23.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Jan 2017-11-14 07:16:39 UTC 
I seem to have the same issue or at least one that's very similar (SELinux is a complete mystery to me). Not sure if this is the right place to post this, because I'm running the F27 (non-modular) Server Beta.

I get the "/usr/libexec/postfix/postfix-script: line 122: /dev/null: Permission denied" error Michael Cronenworth described in Comment 15 and similar AVCs, the difference in my case is that the "tcontext" starts with "system_u" and not "unconfined_u".
I also get the "aliasesdb" and "chroot-update" AVCs from Rudd-O DragonFears Bug Report (Link in Comment 8).

The strange thing is that this only happens on my Raspberry Pi 3. I also run the x86_64-version of the F27 Server Beta in a VM, to test my configs, and there it works.

Both installs use selinux-policy-3.13.1-283.14.fc27.
Comment 28 Daniel Walsh 2017-11-15 15:21:09 UTC 
SELinux is a labeling system.  If you have files on the system labeled as unlabeled_t, then we need to assign labels to them.  Usually you can do this with restorecon.

restorecon -R -v PATHTOFILESWITHOUTLABELS.
Comment 29 Jan 2017-11-16 07:52:33 UTC 
I tried relabeling the whole filesystem, it didn't help.

The good news is that I got it working by creating this policy module with audit2allow:


module my-postfix 1.0;

require {
	type postfix_master_t;
	type unlabeled_t;
	class chr_file { open read write };
	class dir { search write };
}

#============= postfix_master_t ==============
allow postfix_master_t unlabeled_t:chr_file { open read write };
allow postfix_master_t unlabeled_t:dir { search write };
Comment 30 Fedora End Of Life 2017-11-16 18:44:48 UTC 
This message is a reminder that Fedora 25 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 25. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '25'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 25 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 31 Jan 2018-04-05 14:19:55 UTC 
Created attachment 1417753 [details]
Jan / #31 - logs and stuff
Comment 32 Jan 2018-04-05 14:22:35 UTC 
I did some further testing, now that the F28 Beta is here. This has been done on a Raspberry Pi 3.


Fedora 28 Server Beta:

1. flash Fedora-Server-armhfp-28_Beta-1.3-sda.raw.xz and boot
2. do the initial setup and login
3. install postfix
4. start postfix --> it works!



Fedora 27 Server:

1. flash Fedora-Server-armhfp-27-1.6-sda.raw.xz and boot
2. do the initial setup and login
3. install postfix
4. start postfix --> fail
5. upgrade the system and reboot
6. start postfix --> fail
7. upgrade to Fedora 28
8. start postfix --> fail
9. autorelabeling the filesystem and reinstalling postfix
10. start postfix --> fail

So I guess the problem won't be fixed by installing a specific version of some package.


I have added an attachement with logs/errors from my main F27 installation. I don't think there is anything in there that's not already in this thread, but who knows.

I can try to look for additional information or to relabel certain files, but at the moment I don't know what to do or how to do it.
Comment 33 Fedora End Of Life 2018-05-03 07:59:30 UTC 
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 34 Fedora End Of Life 2018-05-29 11:46:17 UTC 
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 35 Michael Cronenworth 2018-05-29 13:07:35 UTC 
Still present in Fedora 28+.
Comment 36 Jan Kurik 2018-08-14 10:20:48 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 37 Simon Sekidde 2018-12-20 17:44:01 UTC 
(In reply to Michael Cronenworth from comment #35)
> Still present in Fedora 28+.

What are the latest AVCs? Also include the full path for the inode number i.e. "ino=<value>" 

  find / -inum <value>
Comment 38 Zdenek Pytela 2019-06-26 09:31:26 UTC 
As this bug has been in NEEDINFO state for an extended period of time, we are going to close it due to inactivity with the resolution of NOTABUG.

Feel free to reopen the bugzilla if the issue persists.
Comment 39 Michael Cronenworth 2019-06-27 13:02:24 UTC 
I have lost access to the system exhibiting this issue so I will no longer be able to report on it.
Note You need to log in before you can comment on or make changes to this bug.