Bug 1678040 - milter-regex can not create socket in /var/spool/milter-regex
Summary: milter-regex can not create socket in /var/spool/milter-regex
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: milter-regex
Version: 29
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-17 19:29 UTC by rgessner
Modified: 2019-04-02 02:14 UTC (History)
2 users (show)

Fixed In Version: milter-regex-2.2-3.fc30 milter-regex-2.2-3.fc28 milter-regex-2.2-3.fc29
Clone Of:
Environment:
Last Closed: 2019-03-29 19:20:07 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description rgessner 2019-02-17 19:29:52 UTC 
Description of problem:

Selinux is preventing milter-regex to create the needed socket file /var/spool/milter-regex/sock with "avc: denied { dac_override }"


Version-Release number of selected component (if applicable):
milter-regex-2.2-1.fc29.x86_64
selinux-policy-3.14.2-48.fc29.noarch
kernel-4.20.8-200.fc29.x86_64

How reproducible:

Install fresh fedora29 system with milter-regex package.

Steps to Reproduce:
1. dnf install milter-regex
2. systemctl start milter-regex.service


Actual results:
Job for milter-regex.service failed because the control process exited with error code.
See "systemctl status milter-regex.service" and "journalctl -xe" for details.

journalctl reports:
milter-regex: Unable to bind to port unix:/var/spool/milter-regex/sock: Permission denied
milter-regex: Unable to create listening socket on conn unix:/var/spool/milter-regex/sock



Expected results:

milter-regex creates the socket file /var/spool/milter-regex/sock


Additional info:

# ls -ldZ /var/spool/milter-regex/
drwxr-xr-x. 2 mregex mregex system_u:object_r:regex_milter_data_t:s0 6 Sep 27 11:36 /var/spool/milter-regex/

# ls -lZ /usr/sbin/milter-regex
-rwxr-xr-x. 1 root root system_u:object_r:regex_milter_exec_t:s0 49368 Sep 27 11:36 /usr/sbin/milter-regex



----
time->Sun Feb 17 20:21:04 2019
type=PROCTITLE msg=audit(1550431264.377:496): proctitle="/usr/sbin/milter-regex"
type=PATH msg=audit(1550431264.377:496): item=1 name="/var/spool/milter-regex/sock" nametype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1550431264.377:496): item=0 name="/var/spool/milter-regex/" inode=25688368 dev=fd:00 mode=040755 ouid=985 ogid=985 rdev=00:00 obj=system_u:object_r:regex_milter_data_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1550431264.377:496): cwd="/"
type=SOCKADDR msg=audit(1550431264.377:496): saddr=01002F7661722F73706F6F6C2F6D696C7465722D72656765782F736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1550431264.377:496): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=7ffd277f4fd0 a2=6e a3=fffffffffffff877 items=2 ppid=1 pid=26359 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="milter-regex" exe="/usr/sbin/milter-regex" subj=system_u:system_r:regex_milter_t:s0 key=(null)
type=AVC msg=audit(1550431264.377:496): avc:  denied  { dac_override } for  pid=26359 comm="milter-regex" capability=1  scontext=system_u:system_r:regex_milter_t:s0 tcontext=system_u:system_r:regex_milter_t:s0 tclass=capability permissive=0
----
Comment 1 rgessner 2019-02-18 16:03:19 UTC 
Easy workaround for me (based on information from https://danwalsh.livejournal.com/79643.html) is to change the owner of the /var/spool/milter-regex/ directory from 'mregex' to 'root'.


But this should be fixed in the package itself.
Comment 2 Fedora Update System 2019-03-24 17:40:44 UTC 
milter-regex-2.2-3.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2610d848f3
Comment 3 Fedora Update System 2019-03-24 17:40:52 UTC 
milter-regex-2.2-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e3243a1930
Comment 4 Fedora Update System 2019-03-24 17:40:59 UTC 
milter-regex-2.2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2019-609fdb3805
Comment 5 Fedora Update System 2019-03-25 03:49:00 UTC 
milter-regex-2.2-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2610d848f3
Comment 6 Fedora Update System 2019-03-25 05:10:23 UTC 
milter-regex-2.2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-609fdb3805
Comment 7 Fedora Update System 2019-03-25 06:48:52 UTC 
milter-regex-2.2-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e3243a1930
Comment 8 Fedora Update System 2019-03-29 19:20:07 UTC 
milter-regex-2.2-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2019-04-02 01:36:25 UTC 
milter-regex-2.2-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2019-04-02 02:14:11 UTC 
milter-regex-2.2-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.