Description of problem: Starting postgrey service from systemctl (systemctl start postgrey) leads to the AVC described below. Using same command from command line doesn't produce the AVC. Actual results: SELinux is preventing 706F737467726579202D2D756E6978 from map access on the file /var/spool/postfix/postgrey/__db.001. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that 706F737467726579202D2D756E6978 should be allowed map access on the __db.001 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '706F737467726579202D2D756E6978' --raw | audit2allow -M my-706F737467726579202D2D756E6978 # semodule -X 300 -i my-706F737467726579202D2D756E6978.pp Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context unconfined_u:object_r:postgrey_spool_t:s0 Target Objects /var/spool/postfix/postgrey/__db.001 [ file ] Source 706F737467726579202D2D756E6978 Source Path 706F737467726579202D2D756E6978 Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.17.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name uranus.ekohler.net Platform Linux uranus.ekohler.net 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-12-26 20:28:38 CET Last Seen 2017-12-26 20:28:38 CET Local ID 10a9948e-f014-420a-8784-a87bf8ad531a Raw Audit Messages type=AVC msg=audit(1514316518.456:792): avc: denied { map } for pid=3122 comm=706F737467726579202D2D756E6978 path="/var/spool/postfix/postgrey/__db.001" dev="sda3" ino=130564 scontext=system_u:system_r:postgrey_t:s0 tcontext=unconfined_u:object_r:postgrey_spool_t:s0 tclass=file permissive=0 Hash: 706F737467726579202D2D756E6978,postgrey_t,postgrey_spool_t,file,map Additional info: Had to put Selinux in permissive mode as no way to create a policy with suggested command: # ausearch -c '706F737467726579202D2D756E6978' --raw
selinux-policy-3.13.1-283.20.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.20.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4
Working. Thanks.
selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.