Bug 1474218 - SELinux is preventing (tmpwatch) from execute_no_trans access on the file /usr/sbin/tmpwatch.
Summary: SELinux is preventing (tmpwatch) from execute_no_trans access on the file /us...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: amavisd-new
Version: 26
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Juan Orti
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-24 07:30 UTC by Dick Marinus
Modified: 2017-07-31 06:24 UTC (History)
4 users (show)

Fixed In Version: amavisd-new-2.11.0-7.fc26
Clone Of:
Environment:
Last Closed: 2017-07-31 06:24:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Dick Marinus 2017-07-24 07:30:29 UTC 
Raw Audit Messages
type=AVC msg=audit(1500839721.237:221753): avc:  denied  { execute_no_trans } for  pid=4712 comm="(tmpwatch)" path="/usr/sbin/tmpwatch" dev="sda3" ino=24769913 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpreaper_exec_t:s0 tclass=file permissive=0


Hash: (tmpwatch),init_t,tmpreaper_exec_t,file,execute_no_trans

audit2allow output:

module tmpwatch 1.0;

require {
	type tmpreaper_exec_t;
	type init_t;
	class file execute_no_trans;
}

#============= init_t ==============
allow init_t tmpreaper_exec_t:file execute_no_trans;
Comment 1 Dick Marinus 2017-07-24 07:35:02 UTC 
oh I think tmpwatch is called from amavisd-new
Comment 2 Juan Orti 2017-07-24 10:43:56 UTC 
This is because of bug #1468846, basically PrivateDevices=true is unusable in F26.

Please, test this update:
https://bodhi.fedoraproject.org/updates/FEDORA-2017-7705a5aa55
Comment 3 Fedora Update System 2017-07-24 11:53:42 UTC 
amavisd-new-2.11.0-7.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7705a5aa55
Comment 4 Fedora Update System 2017-07-31 06:24:33 UTC 
amavisd-new-2.11.0-7.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.