Description of problem: SELinux is preventing /usr/sbin/smtpctl from 'write' accesses on the directory /var/spool/smtpd/offline/. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smtpctl should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail # semodule -X 300 -i my-sendmail.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:mail_spool_t:s0 Target Objects /var/spool/smtpd/offline/ [ dir ] Source sendmail Source Path /usr/sbin/smtpctl Port <Unknown> Host (removed) Source RPM Packages opensmtpd-7.6.0p1-1.fc41.x86_64 Target RPM Packages opensmtpd-7.6.0p1-1.fc41.x86_64 SELinux Policy RPM selinux-policy-targeted-41.28-1.fc41.noarch Local Policy RPM selinux-policy-targeted-41.28-1.fc41.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.12.8-200.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jan 2 19:26:03 UTC 2025 x86_64 Alert Count 2 First Seen 2025-01-28 03:42:03 EST Last Seen 2025-01-29 03:12:01 EST Local ID d2b3810f-489a-4ec8-a910-aaf205b4d882 Raw Audit Messages type=AVC msg=audit(1738138321.686:441192): avc: denied { write } for pid=854701 comm="sendmail" name="offline" dev="dm-4" ino=395366 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mail_spool_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1738138321.686:441192): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7ffdfd78d0d0 a2=c2 a3=180 items=1 ppid=854612 pid=854701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=917 sgid=917 fsgid=917 tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/smtpctl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1738138321.686:441192): cwd=/ type=PATH msg=audit(1738138321.686:441192): item=0 name=/var/spool/smtpd/offline/ inode=395366 dev=fd:04 mode=040770 ouid=0 ogid=917 rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: sendmail,logwatch_t,mail_spool_t,dir,write Version-Release number of selected component: selinux-policy-targeted-41.28-1.fc41.noarch Additional info: reporter: libreport-2.17.15 hashmarkername: setroubleshoot kernel: 6.12.8-200.fc41.x86_64 reason: SELinux is preventing /usr/sbin/smtpctl from 'write' accesses on the directory /var/spool/smtpd/offline/. component: selinux-policy type: libreport package: selinux-policy-targeted-41.28-1.fc41.noarch component: selinux-policy
Created attachment 2074371 [details] File: os_info
Created attachment 2074372 [details] File: description
*** Bug 2345752 has been marked as a duplicate of this bug. ***
Still an issue in Fedora 42.
By the way, creating a local policy per the instructions does not work for some reason: ``` # ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail ``` produces: ``` # cat my-sendmail.te module my-sendmail 1.0; require { type logwatch_t; type mail_spool_t; type sendmail_var_run_t; class sock_file write; class dir write; } #============= logwatch_t ============== allow logwatch_t mail_spool_t:dir write; allow logwatch_t sendmail_var_run_t:sock_file write; ``` but loading this via `semodule -X 300 -i my-sendmail.pp` does not help. The labeling of `/var/spool/smtpd` seems correct: ``` ]# ls -lZ /var/spool/smtpd/ total 20 drwx------. 2 smtpq root system_u:object_r:mail_spool_t:s0 4096 Apr 18 06:56 incoming drwxrwx---. 2 root smtpq system_u:object_r:mail_spool_t:s0 4096 Apr 17 14:35 offline drwx------. 4 smtpq root system_u:object_r:mail_spool_t:s0 4096 Apr 17 14:35 purge drwx------. 241 smtpq root system_u:object_r:mail_spool_t:s0 4096 Apr 17 14:35 queue drwx------. 2 smtpq root system_u:object_r:mail_spool_t:s0 4096 Apr 18 06:56 temporary # restorecon -rn /var/spool/smtpd/ <no output> ```
Hi, Can you check the scratchbuild in https://github.com/fedora-selinux/selinux-policy/pull/2812 Checks -> rawhide?
(In reply to Zdenek Pytela from comment #6) > Hi, > > Can you check the scratchbuild in > > https://github.com/fedora-selinux/selinux-policy/pull/2812 > Checks -> rawhide? Is there an easy way for me test this on Fedora 42? When attempting to install the scratch build RPMs I get errors like this: Problem 1: conflicting requests - nothing provides policycoreutils >= 3.9 needed by selinux-policy-42.3-1.20250803182500759960.pr2812.7.g466a57e00.fc43.noarch from copr:copr.fedorainfracloud.org:packit:fedora-selinux-selinux-policy-2812 ...
Let's wait for a regular build then, Fedora services are already up.
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23
FEDORA-2025-d93e219f23 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d93e219f23` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The particular AVC in this report appears to be fixed by the update, but logwatch still does not work with opensmtpd. The SELinux troubleshooter does not appear to be working any more with bugzilla (404 error on report upload due to "None" component), but I will attach the plugin outputs here: SELinux is preventing /usr/bin/smtpctl from connectto access on the unix_stream_socket /run/smtpd.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smtpctl should be allowed connectto access on the smtpd.sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail # semodule -X 300 -i my-sendmail.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:system_r:sendmail_t:s0 Target Objects /run/smtpd.sock [ unix_stream_socket ] Source sendmail Source Path /usr/bin/smtpctl Port <Unknown> Host (removed) Source RPM Packages opensmtpd-7.7.0p0-1.fc42.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.3-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.3-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux edison 6.15.7-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 17 17:57:16 UTC 2025 x86_64 Alert Count 1 First Seen 2025-08-05 03:17:03 EDT Last Seen 2025-08-05 03:17:03 EDT Local ID 6b63eab2-bbd0-4a04-bc7d-3fd88220ddf4 Raw Audit Messages type=AVC msg=audit(1754378223.221:205740): avc: denied { connectto } for pid=2191906 comm="sendmail" path="/run/smtpd.sock" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sendmail_t:s0 tclass=unix_stream_socket permissive=0 type=SYSCALL msg=audit(1754378223.221:205740): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7ffc64e36c90 a2=6e a3=0 items=1 ppid=2191813 pid=2191906 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=917 sgid=917 fsgid=917 tty=(none) ses=4294967295 comm=sendmail exe=/usr/bin/smtpctl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1754378223.221:205740): cwd=/ type=PATH msg=audit(1754378223.221:205740): item=0 name=/var/run/smtpd.sock inode=52492 dev=00:1b mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: sendmail,logwatch_t,sendmail_t,unix_stream_socket,connectto
And this one: SELinux is preventing /usr/bin/smtpctl from write access on the sock_file /var/run/smtpd.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that smtpctl should be allowed write access on the smtpd.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sendmail' --raw | audit2allow -M my-sendmail # semodule -X 300 -i my-sendmail.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:sendmail_var_run_t:s0 Target Objects /var/run/smtpd.sock [ sock_file ] Source sendmail Source Path /usr/bin/smtpctl Port <Unknown> Host (removed) Source RPM Packages opensmtpd-7.7.0p0-1.fc42.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.4-1.fc42.noarch Local Policy RPM selinux-policy-targeted-42.4-1.fc42.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux edison 6.15.7-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 17 17:57:16 UTC 2025 x86_64 Alert Count 1 First Seen 2025-08-06 03:18:02 EDT Last Seen 2025-08-06 03:18:02 EDT Local ID 16f49663-6f06-4686-a76e-051259636c61 Raw Audit Messages type=AVC msg=audit(1754464682.236:230951): avc: denied { write } for pid=2700136 comm="sendmail" name="smtpd.sock" dev="tmpfs" ino=52492 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sendmail_var_run_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1754464682.236:230951): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7ffe90fd4460 a2=6e a3=0 items=1 ppid=2700046 pid=2700136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=917 sgid=917 fsgid=917 tty=(none) ses=4294967295 comm=sendmail exe=/usr/bin/smtpctl subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1754464682.236:230951): cwd=/ type=PATH msg=audit(1754464682.236:230951): item=0 name=/var/run/smtpd.sock inode=52492 dev=00:1b mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sendmail_var_run_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: sendmail,logwatch_t,sendmail_var_run_t,sock_file,write
Thanks for the update: https://github.com/fedora-selinux/selinux-policy/pull/2818
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
Now that this issue is closed will there be a test build I can validate for pull 2818?