Description of problem: When starting the postfix service with SELINUX_POLICY=Enforcing, I get the following AVC errors and neither of the 3 processes mentioned in the Summary line are started properly (all need to chroot into /var/spool/postfix, AFIK). type=SERVICE_START msg=audit(1306977616.097:282): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="postfix" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1306977616.191:283): avc: denied { sys_chroot } for pid=24567 comm="pickup" capability=18 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=capability type=SYSCALL msg=audit(1306977616.191:283): arch=c000003e syscall=161 success=no exit=-1 a0=7f23a510a100 a1=0 a2=7f23a213b238 a3=7fff9fd91c80 items=0 ppid=24565 pid=24567 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) type=AVC msg=audit(1306977620.365:284): avc: denied { read } for pid=24569 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1306977620.365:284): arch=c000003e syscall=4 success=no exit=-13 a0=7fd80ed7cf25 a1=7fffebf92a50 a2=7fffebf92a50 a3=7fffebf927a0 items=0 ppid=24565 pid=24569 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1306977620.369:285): avc: denied { read } for pid=24571 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1306977620.369:285): arch=c000003e syscall=4 success=no exit=-13 a0=7ff1ffe96fd5 a1=7fff2c1be190 a2=7fff2c1be190 a3=7fff2c1bdee0 items=0 ppid=24565 pid=24571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1306977620.372:286): avc: denied { read } for pid=24570 comm="smtpd" name="aliases" dev=vda3 ino=528598 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:etc_aliases_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1306977620.372:286): arch=c000003e syscall=4 success=no exit=-13 a0=7fb21a6bc015 a1=7fffb7724850 a2=7fffb7724850 a3=7fffb77245a0 items=0 ppid=24565 pid=24570 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smtpd" exe="/usr/libexec/postfix/smtpd" subj=system_u:system_r:postfix_smtpd_t:s0 key=(null) type=AVC msg=audit(1306977620.438:287): avc: denied { sys_chroot } for pid=24574 comm="tlsmgr" capability=18 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=capability type=SYSCALL msg=audit(1306977620.438:287): arch=c000003e syscall=161 success=no exit=-1 a0=7f0aa904c100 a1=0 a2=7f0aa5df7238 a3=7fffd4e27760 items=0 ppid=24565 pid=24574 auid=4294967295 uid=0 gid=89 euid=0 suid=0 fsuid=0 egid=89 sgid=89 fsgid=89 tty=(none) ses=4294967295 comm="tlsmgr" exe="/usr/libexec/postfix/tlsmgr" subj=system_u:system_r:postfix_master_t:s0 key=(null) type=SERVICE_STOP msg=audit(1306977638.534:288): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="postfix" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' Version-Release number of selected component (if applicable): # rpm -qa | grep selinux-policy selinux-policy-targeted-3.9.16-24.fc15.noarch selinux-policy-3.9.16-24.fc15.noarch # rpm -qa | grep postfix postfix-2.8.3-1.fc15.x86_64 How reproducible: Every time Steps to Reproduce: 1. Upgraded to Fedora 15 from Fedora 14 2. Started postfix service 3. AVC errors logged Actual results: Postfix doesn't fully start up Expected results: Functioning Postfix system (x64) Additional info: N/A
Fixed in selinux-policy-3.9.16-27.fc15
Is there an ETA for when it will be available in updates-testing?
It will be in updates-testing as soon as selinux-policy-3.9.16-26.fc15 goes from testing to stable. But I will provide a new build today or tomorrow. Or you can allow it for now using # grep postfix /var/log/audit/audit.log | audit2allow -M mypostfix # semodule -i mypostfix.pp
selinux-policy-3.9.16-29.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15
Package selinux-policy-3.9.16-29.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-29.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-29.fc15 then log in and leave karma (feedback).
Package selinux-policy-3.9.16-30.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-30.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-30.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-30.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.