User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5 (.NET CLR 3.5.30729) Version: amavisd-new-2.4.5-1.el5 When run service amavisd restart I get the message: amavisd beenden: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [2389] terminated by SIGTERM [ OK ] amavisd stopped amavisd starten: [ OK ] Reproducible: Always Steps to Reproduce: 1. run service amavisd restart Actual Results: Getting the message above. Expected Results: restart without the messeage
I can confirm that I am also having this issue, except I am not experiencing it on all machines. Using the same package as Frank: [root@shrugged ~]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [28085] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] Note that there was an old thread that discussed this: http://old.nabble.com/-etc-init.d-amavisd-stop-Error-td21979008.html The uptime program is provided by the procps package, and I have updated to the latest version on all machines: procps.x86_64 3.2.7-18.el5 I still get the error. My dev server is running a slightly newer kernel and is not experiencing this issue: dev (2.6.18-274.el5) vs prod (2.6.18-238.el5) The oddity here is that if I do exactly what the system script is doing, I don't get the error: action $"Shutting down ${prog_base}:" ${prog} -c ${prog_config_file} stop Updating to the latest version of initscripts doesn't fix the problem either: initscripts-8.45.42-1.el5 I'm not sure exactly how to further troubleshoot/locate this issue. But it's rather annoying that every time amavis gets restarted this proc error gets generated.
OK, looking at the topic of the bug, it says "only in enforcing mode." I can confirm that the issue does not present in permissive mode: [root@shrugged ~]$ setenforce permissive [root@shrugged ~]$ service amavisd restart Shutting down amavisd: Daemon [28225] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] [root@shrugged ~]$ setenforce enforcing [root@shrugged ~]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [28261] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] Here is the painful irony: In enforcing mode, there are no denials logged!! the system needs to be in permissive mode in order to even see the AVC denials: type=MAC_STATUS msg=audit(1333211543.148:58687): enforcing=0 old_enforcing=1 auid=501 ses=8891 type=SYSCALL msg=audit(1333211543.148:58687): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffcc69c460 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28239 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58688): avc: denied { read } for pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58689): avc: denied { lock } for pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=MAC_STATUS msg=audit(1333211551.191:58690): enforcing=1 old_enforcing=0 auid=501 ses=8891 type=SYSCALL msg=audit(1333211551.191:58690): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffa8f0fce0 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28269 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null) So, it looks like there are selinux issues with trying to access uptime: [root@shrugged ~]$ ausearch -m avc -ts 12:00 ---- time->Sat Mar 31 16:32:26 2012 type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58689): avc: denied { lock } for pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file ---- time->Sat Mar 31 16:32:26 2012 type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58688): avc: denied { read } for pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Into audit2allow: #============= amavis_t ============== allow amavis_t initrc_var_run_t:file { read lock }; Now, I'm not sure if this should be default SELinux policy or not, or if there should be a boolean... but this is what's causing the issue. It's not in amavis, and I'll be updating the bug appropriately.
[root@shrugged ~]$ rpm -qa | grep selinux libselinux-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 libselinux-utils-1.33.4-5.7.el5 selinux-policy-2.4.6-300.el5 selinux-policy-targeted-2.4.6-300.el5 libselinux-ruby-1.33.4-5.7.el5
With the latest versions of the policy installed, this error persists: [root@atlas /var/log]$ rpm -qa | grep selinux-policy selinux-policy-targeted-2.4.6-327.el5 selinux-policy-2.4.6-327.el5 [root@atlas /var/log]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [23101] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ]
Updated bug to be assigned to selinux-policy for el5.
OK, think I spoke too soon. Here's the latest situation: [root@atlas /etc/puppet]$ rpm -qa | grep selinux-policy selinux-policy-targeted-2.4.6-327.el5 selinux-policy-2.4.6-327.el5 [root@atlas /etc/puppet]$ getenforce Permissive [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Daemon [3230] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] In this configuration, nothing gets logged to the audit log (yes, permissive). If we switch to enforcing: [root@atlas /etc/puppet]$ setenforce 1 [root@atlas /etc/puppet]$ getenforce Enforcing [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [3286] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] SELinux is definitely doing something naughty. Apparently there are some things that default policies set to not audit: http://comments.gmane.org/gmane.linux.redhat.fedora.selinux/9234 Disabling the dontaudit and going to permissive: [root@atlas /etc/puppet]$ semodule -DB [root@atlas /etc/puppet]$ setenforce 0 [root@atlas /etc/puppet]$ getenforce Permissive [root@atlas /etc/puppet]$ service amavisd restart Shutting down amavisd: Daemon [3315] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] [root@atlas /etc/puppet]$ date Sat Mar 31 22:33:06 GMT 2012 [root@atlas /etc/puppet]$ ausearch -m avc -ts 22:33 | audit2allow #============= amavis_t ============== allow amavis_t proc_t:file read; allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; This looks good I guess. But this module won't compile and install: [root@atlas ~]$ ausearch -m avc -ts 22:33 | audit2allow -M amavisd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i amavisd.pp [root@atlas ~]$ cat amavisd.te module amavisd 1.0; require { type amavis_t; type security_t; type proc_t; type user_home_dir_t; type selinux_config_t; type shadow_t; class file { read getattr }; class dir search; } #============= amavis_t ============== allow amavis_t proc_t:file read; allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; [root@atlas ~]$ semodule -i amavisd.pp libsepol.check_assertion_helper: assertion on line 0 violated by allow amavis_t shadow_t:file { read }; libsepol.check_assertions: 1 assertion violations occured libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! So I'm at a loss as to actually how to generate a policy here that will work.
So the violation is because of a read shadow restraint. Since I can't think of a good reason why amavisd should be reading shadow, I just commented it out. [root@atlas ~]$ cat amavisd.te module amavisd 1.0; require { type amavis_t; type security_t; type proc_t; type user_home_dir_t; type selinux_config_t; #type shadow_t; class file { read getattr }; class dir search; } #============= amavis_t ============== allow amavis_t proc_t:file read; allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; #allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; Installing this module works, and when in enforcing mode, no error is generated: [root@atlas ~]$ getenforce Enforcing [root@atlas ~]$ service amavisd restart Shutting down amavisd: Daemon [3347] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] The only selinux denial that still happens is the shadow read: [root@atlas ~]$ ausearch -m avc -ts 22:45:50 | audit2allow #============= amavis_t ============== allow amavis_t shadow_t:file read; Now, this policy module can probably be clamped down to fix what's going on, because it seems to me like it opens up a fair number of holes.
Could you test it only with this rule allow amavis_t proc_t:file read;
Looks like it works. [root@atlas ~]$ cat amavisd-miro.te module amavisd-miro 1.0; require { type amavis_t; type proc_t; class file read; } #============= amavis_t ============== allow amavis_t proc_t:file read; [root@atlas ~]$ service amavisd restart Shutting down amavisd: Daemon [28091] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] Still getting errors: type=AVC msg=audit(1333649748.098:11411): avc: denied { read } for pid=28571 comm="amavisd" name="shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=SYSCALL msg=audit(1333649748.098:11411): arch=c000003e syscall=2 success=yes exit=5 a0=2ba41721d2da a1=0 a2=1b6 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333649748.098:11412): avc: denied { getattr } for pid=28571 comm="amavisd" path="/etc/shadow" dev=dm-0 ino=354339 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file type=SYSCALL msg=audit(1333649748.098:11412): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff158c5960 a2=7fff158c5960 a3=0 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333649748.099:11413): avc: denied { search } for pid=28571 comm="amavisd" name="root" dev=dm-0 ino=545089 scontext=user_u:system_r:amavis_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir type=SYSCALL msg=audit(1333649748.099:11413): arch=c000003e syscall=4 success=no exit=-2 a0=c93c730 a1=c806140 a2=c806140 a3=7 items=0 ppid=28567 pid=28571 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333649749.867:11414): avc: denied { search } for pid=28578 comm="amavisd" name="selinux" dev=dm-0 ino=353080 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir type=AVC msg=audit(1333649749.867:11414): avc: denied { read } for pid=28578 comm="amavisd" name="config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=SYSCALL msg=audit(1333649749.867:11414): arch=c000003e syscall=2 success=yes exit=4 a0=3b91e12a64 a1=0 a2=1b6 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333649749.867:11415): avc: denied { getattr } for pid=28578 comm="amavisd" path="/etc/selinux/config" dev=dm-0 ino=353317 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file type=SYSCALL msg=audit(1333649749.867:11415): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffd9c7dfd0 a2=7fffd9c7dfd0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333649749.867:11416): avc: denied { search } for pid=28578 comm="amavisd" name="/" dev=selinuxfs ino=392 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir type=AVC msg=audit(1333649749.867:11416): avc: denied { read } for pid=28578 comm="amavisd" name="mls" dev=selinuxfs ino=12 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1333649749.867:11416): arch=c000003e syscall=2 success=yes exit=4 a0=7fffd9c7d0e0 a1=0 a2=0 a3=0 items=0 ppid=28574 pid=28578 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=834 comm="amavisd" exe="/usr/bin/perl" subj=user_u:system_r:amavis_t:s0 key=(null) (audit2allow) #============= amavis_t ============== allow amavis_t security_t:dir search; allow amavis_t security_t:file read; allow amavis_t selinux_config_t:dir search; allow amavis_t selinux_config_t:file { read getattr }; allow amavis_t shadow_t:file { read getattr }; allow amavis_t user_home_dir_t:dir search; But they don't cause any issue with the proc errors or anything like that.
We seem to dontaudit all of these in Fedora.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html