Created attachment 322954 [details] Copy of AVC's from the audit log. Description of problem: I am getting AVC's when I reload the postfix config or run mailq. Version-Release number of selected component (if applicable): (tigger pts3) $ rpm -qa | grep -i selinux libselinux-2.0.73-1.fc10.x86_64 libselinux-utils-2.0.73-1.fc10.x86_64 selinux-policy-3.5.13-11.fc10.noarch selinux-policy-targeted-3.5.13-11.fc10.noarch libselinux-python-2.0.73-1.fc10.x86_64 (tigger pts3) $ rpm -q postfix postfix-2.5.5-1.fc10.x86_64 (tigger pts3) $ How reproducible: Every time Steps to Reproduce: 1. run postfix reload or mailq 2. 3. Actual results: AVC's in log Expected results: No AVC's Additional info: I ran setenforce 0 ; restorecon -v -R / ; setenforce 1 before I sent this bug to be sure it was not a labeling problem.
You or some program have labeled a file/direcory named_conf_t, that should not be labeled this. # grep named_conf_t /etc/selinux/targeted/contexts/files/* # ls -lZd /
Created attachment 323140 [details] Output of "grep named_conf_t /etc/selinux/targeted/contexts/files/*"
I relabeled the machine again during a reboot and the problem seems to have gone away. I do not understand this since I ran restorecon -vR / before the last policy update. After the reboot ls -lZR only shows 3 files on the system with a named_conf_t context. Is there a difference between doing a restorecon -vR / and doing touch /.autorelabel and rebooting? Maybe that is what I do not understand. Sorry for the noise and Thanks for the help.
No they should be equivalent. The only real difference is /.autorelabel happens before most processes are started so there is less chance of a process running with the wrong context and creating files with the wrong context after relabeling.