Description of problem: Selinux is preventing milter-greylist to create the needed socket file /run/milter-greylist/milter-greylist.sock with "avc: denied { dac_override }" Version-Release number of selected component (if applicable): milter-greylist-4.6.2-7.fc29.x86_64 selinux-policy-3.14.2-48.fc29.noarch kernel-4.20.8-200.fc29.x86_64 How reproducible: Install fresh fedora29 system with milter-greylist package. Steps to Reproduce: 1. dnf install milter-greylist 2. systemctl start milter-greylist.service Actual results: milter-greylist failed to start. journalctl -u milter-greylist reports: greylist: Unable to bind to port /run/milter-greylist/milter-greylist.sock: Permission denied greylist: Unable to create listening socket on conn /run/milter-greylist/milter-greylist.sock /usr/sbin/milter-greylist: failed to open socket: /run/milter-greylist/milter-greylist.sock Expected results: milter-greylist create socket file /run/milter-greylist/milter-greylist.sock Additional info: ---- time->Sun Feb 17 19:50:12 2019 type=PROCTITLE msg=audit(1550429412.086:412): proctitle=2F7573722F7362696E2F6D696C7465722D677265796C697374002D44 type=PATH msg=audit(1550429412.086:412): item=1 name="/run/milter-greylist/milter-greylist.sock" nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1550429412.086:412): item=0 name="/run/milter-greylist/" inode=34871 dev=00:16 mode=040710 ouid=987 ogid=12 rdev=00:00 obj=system_u:object_r:greylist_milter_data_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1550429412.086:412): cwd="/" type=SOCKADDR msg=audit(1550429412.086:412): saddr=01002F72756E2F6D696C7465722D677265796C6973742F6D696C7465722D677265796C6973742E736F636B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1550429412.086:412): arch=c000003e syscall=49 success=no exit=-13 a0=5 a1=7ffe142488e0 a2=6e a3=555ddb55f010 items=2 ppid=1 pid=25605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="milter-greylist" exe="/usr/sbin/milter-greylist" subj=system_u:system_r:greylist_milter_t:s0 key=(null) type=AVC msg=audit(1550429412.086:412): avc: denied { dac_override } for pid=25605 comm="milter-greylist" capability=1 scontext=system_u:system_r:greylist_milter_t:s0 tcontext=system_u:system_r:greylist_milter_t:s0 tclass=capability permissive=0 ----
Easy workaround for me (based on information from https://danwalsh.livejournal.com/79643.html) is to change the owner of the /run/milter-greylist directory from 'grmilter' to 'root'. But this should be fixed in the package itself.
(In reply to rhg from comment #1) > But this should be fixed in the package itself. ...to be more specific, /usr/lib/tmpfiles.d/milter-greylist.conf should be modified from d /run/milter-greylist 0710 grmilter mail to d /run/milter-greylist 0710 root mail
milter-greylist-4.6.2-9.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0da7ffa400
milter-greylist-4.6.2-9.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-492d39dd14
milter-greylist-4.6.2-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-65b7b30a57
Hadn't noticed this as I added local policy for it as a workaround when the denials first happened and then forgot all about fixing it! Thanks for the report.
milter-greylist-4.6.2-9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-492d39dd14
milter-greylist-4.6.2-9.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0da7ffa400
milter-greylist-4.6.2-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-65b7b30a57
milter-greylist-4.6.2-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
milter-greylist-4.6.2-9.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
milter-greylist-4.6.2-9.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.