Bug 186309 - AVC denied messages at postfix startup
AVC denied messages at postfix startup
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Depends On:
  Show dependency treegraph
Reported: 2006-03-22 15:33 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-04-04 05:30:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-03-22 15:33:08 EST
selinux-policy-targeted-2.2.23-15 on FC5 x86_64: these messages appear in 
syslog when (re)starting postfix: 
Mar 22 22:35:29 viper kernel: audit(1143059729.278:138): avc:  denied  
{ getattr } for  pid=3593 comm="sh" name="mailq.postfix.1.gz" dev=sda3 
ino=12700940 scontext=user_u:system_r:postfix_master_t:s0 
tcontext=system_u:object_r:man_t:s0 tclass=file 
Mar 22 22:35:29 viper kernel: audit(1143059729.602:139): avc:  denied  
{ ioctl } for  pid=3620 comm="find" name="2" dev=devpts ino=4 
tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file
Comment 1 Anthony Messina 2006-03-24 23:30:22 EST
i confirm the same problem.
Comment 2 Daniel Walsh 2006-04-03 13:02:40 EDT
Are you seeing this is Enforcing mode?
Comment 3 Ville Skyttä 2006-04-03 16:36:31 EDT
Not with selinux-policy-targeted-2.2.25-3.fc5, so assuming fixed.  The previous
messages I posted were produced in permissive mode.
Comment 4 Ville Skyttä 2006-04-03 17:02:02 EDT
Interesting, the messages still appear in permissive mode.
Comment 5 Ville Skyttä 2006-04-03 17:03:26 EDT
To clarify, only this message appeared in my last bootup in permissive mode, no
more the "find" one from the initial comment:

Apr  4 00:03:14 viper kernel: audit(1144098190.429:5): avc:  denied  { getattr }
 for  pid=2176 comm="sh" name="mailq.postfix.1.gz" dev=sda3 ino=12700923 scontex
t=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:man_t:s0 tcla

Comment 6 Daniel Walsh 2006-04-04 05:30:10 EDT
We don't usually concern ourselves with permissive mode AVC messages.  In strict
policy a dontaudit rule is probably preventing the application from getting this
far, so the AVC never appears.

Note You need to log in before you can comment on or make changes to this bug.