1678038 – milter-greylist can not create socket in /run/milter-greylist/

Bug 1678038 - milter-greylist can not create socket in /run/milter-greylist/

Summary: milter-greylist can not create socket in /run/milter-greylist/

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	milter-greylist
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Paul Howarth
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-17 19:15 UTC by rgessner
Modified:	2019-04-02 02:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:	milter-greylist-4.6.2-9.fc30 milter-greylist-4.6.2-9.fc28 milter-greylist-4.6.2-9.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-03-29 19:20:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description rgessner 2019-02-17 19:15:33 UTC

Description of problem:

Selinux is preventing milter-greylist to create the needed socket file /run/milter-greylist/milter-greylist.sock with "avc: denied { dac_override }"


Version-Release number of selected component (if applicable):
milter-greylist-4.6.2-7.fc29.x86_64
selinux-policy-3.14.2-48.fc29.noarch
kernel-4.20.8-200.fc29.x86_64


How reproducible:

Install fresh fedora29 system with milter-greylist package.

Steps to Reproduce:
1. dnf install milter-greylist
2. systemctl start milter-greylist.service


Actual results:
milter-greylist failed to start.
journalctl -u milter-greylist reports:
greylist: Unable to bind to port /run/milter-greylist/milter-greylist.sock: Permission denied
greylist: Unable to create listening socket on conn /run/milter-greylist/milter-greylist.sock
/usr/sbin/milter-greylist: failed to open socket: /run/milter-greylist/milter-greylist.sock


Expected results:
milter-greylist create socket file /run/milter-greylist/milter-greylist.sock


Additional info:

----
time->Sun Feb 17 19:50:12 2019
type=PROCTITLE msg=audit(1550429412.086:412): proctitle=2F7573722F7362696E2F6D696C7465722D677265796C697374002D44
type=PATH msg=audit(1550429412.086:412): item=1 name="/run/milter-greylist/milter-greylist.sock" nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1550429412.086:412): item=0 name="/run/milter-greylist/" inode=34871 dev=00:16 mode=040710 ouid=987 ogid=12 rdev=00:00 obj=system_u:object_r:greylist_milter_data_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1550429412.086:412): cwd="/"
type=SOCKADDR msg=audit(1550429412.086:412): saddr=01002F72756E2F6D696C7465722D677265796C6973742F6D696C7465722D677265796C6973742E736F636B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1550429412.086:412): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe142488e0 a2=6e a3=555ddb55f010 items=2 ppid=1 pid=25605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="milter-greylist" exe="/usr/sbin/milter-greylist" subj=system_u:system_r:greylist_milter_t:s0 key=(null)
type=AVC msg=audit(1550429412.086:412): avc:  denied  { dac_override } for  pid=25605 comm="milter-greylist" capability=1  scontext=system_u:system_r:greylist_milter_t:s0 tcontext=system_u:system_r:greylist_milter_t:s0 tclass=capability permissive=0
----

Comment 1 rgessner 2019-02-18 16:01:50 UTC

Easy workaround for me (based on information from https://danwalsh.livejournal.com/79643.html) is to change the owner of the /run/milter-greylist directory from 'grmilter' to 'root'.


But this should be fixed in the package itself.

Comment 2 rgessner 2019-02-18 21:56:58 UTC

(In reply to rhg from comment #1)

> But this should be fixed in the package itself.

...to be more specific, /usr/lib/tmpfiles.d/milter-greylist.conf should be modified

from

d /run/milter-greylist 0710 grmilter mail

to

d /run/milter-greylist 0710 root mail

Comment 3 Fedora Update System 2019-03-24 17:07:01 UTC

milter-greylist-4.6.2-9.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0da7ffa400

Comment 4 Fedora Update System 2019-03-24 17:07:09 UTC

milter-greylist-4.6.2-9.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-492d39dd14

Comment 5 Fedora Update System 2019-03-24 17:07:17 UTC

milter-greylist-4.6.2-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-65b7b30a57

Comment 6 Paul Howarth 2019-03-24 17:24:04 UTC

Hadn't noticed this as I added local policy for it as a workaround when the denials first happened and then forgot all about fixing it! Thanks for the report.

Comment 7 Fedora Update System 2019-03-25 03:49:00 UTC

milter-greylist-4.6.2-9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-492d39dd14

Comment 8 Fedora Update System 2019-03-25 05:10:22 UTC

milter-greylist-4.6.2-9.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0da7ffa400

Comment 9 Fedora Update System 2019-03-25 06:48:50 UTC

milter-greylist-4.6.2-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-65b7b30a57

Comment 10 Fedora Update System 2019-03-29 19:20:06 UTC

milter-greylist-4.6.2-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2019-04-02 01:36:24 UTC

milter-greylist-4.6.2-9.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2019-04-02 02:14:10 UTC

milter-greylist-4.6.2-9.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.