Red Hat Bugzilla – Bug 470665
Numerous AVC's from postfix
Last modified: 2008-11-11 08:39:42 EST
Created attachment 322954 [details]
Copy of AVC's from the audit log.
Description of problem:
I am getting AVC's when I reload the postfix config or run mailq.
Version-Release number of selected component (if applicable):
(tigger pts3) $ rpm -qa | grep -i selinux
(tigger pts3) $ rpm -q postfix
(tigger pts3) $
Steps to Reproduce:
1. run postfix reload or mailq
AVC's in log
I ran setenforce 0 ; restorecon -v -R / ; setenforce 1 before I sent this bug to be sure it was not a labeling problem.
You or some program have labeled a file/direcory named_conf_t, that should not be labeled this.
# grep named_conf_t /etc/selinux/targeted/contexts/files/*
# ls -lZd /
Created attachment 323140 [details]
Output of "grep named_conf_t /etc/selinux/targeted/contexts/files/*"
I relabeled the machine again during a reboot and the problem seems to have gone away. I do not understand this since I ran restorecon -vR / before the last policy update. After the reboot ls -lZR only shows 3 files on the system with a named_conf_t context.
Is there a difference between doing a restorecon -vR / and doing touch /.autorelabel and rebooting? Maybe that is what I do not understand.
Sorry for the noise and Thanks for the help.
No they should be equivalent. The only real difference is /.autorelabel happens before most processes are started so there is less chance of a process running with the wrong context and creating files with the wrong context after relabeling.