Description of problem: [root@charybdis etc]# sealert -l 42d05a04-04ab-44b3-a9e1-5f5ee362cbc0 WARNING: Policy would be downgraded from version 27 to 26. ** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags' SELinux is preventing /usr/bin/perl from read access on the file /etc/group. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed read access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/group [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-211.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 30 First Seen Fri 01 Jun 2012 03:13:18 PM MST Last Seen Fri 01 Jun 2012 03:45:01 PM MST Local ID 42d05a04-04ab-44b3-a9e1-5f5ee362cbc0 Raw Audit Messages type=AVC msg=audit(1338590701.228:228): avc: denied { read } for pid=2133 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1338590701.228:228): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb2a26f86bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,read audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file read; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file read; Version-Release number of selected component (if applicable): postgrey-1.34-3.fc17.noarch selinux-policy-targeted-3.10.0-125.fc17.noarch How reproducible: Always. Steps to Reproduce: 1. systemctl start postgrey.service 2. 3. Actual results: SELinux violation. Expected results: No SELinux violation.
More: SELinux is preventing /usr/bin/perl from open access on the file /etc/group. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed open access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/group [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-211.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 6 First Seen Fri 01 Jun 2012 04:03:12 PM MST Last Seen Fri 01 Jun 2012 04:03:18 PM MST Local ID f4f9dd7f-784e-42d0-a216-7dccc182eec4 Raw Audit Messages type=AVC msg=audit(1338591798.476:329): avc: denied { open } for pid=3111 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1338591798.476:329): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa9fe8886bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=3111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,open audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file open; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file open;
SELinux is preventing /usr/bin/perl from getattr access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-211.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-125.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Fri 01 Jun 2012 04:05:50 PM MST Last Seen Fri 01 Jun 2012 04:05:50 PM MST Local ID 38cc17be-b522-44a2-a487-2ddc38c30ab1 Raw Audit Messages type=AVC msg=audit(1338591950.765:346): avc: denied { getattr } for pid=3150 comm="/usr/sbin/postg" path="/etc/passwd" dev="dm-0" ino=3673277 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1338591950.765:346): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7fff889ec2d0 a2=7fff889ec2d0 a3=0 items=0 ppid=1 pid=3150 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,getattr audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file getattr; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file getattr;
Running audit2allow on these three was sufficient to get postgrey working again. (It was fine in F16.)
Fixed in selinux-policy-3.10.0-129.fc17
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
I installed selinux-policy-targeted-3.10.0-132.fc17 and am having exactly the same problem as before: ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed read access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/group [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-212.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 11 First Seen Fri 22 Jun 2012 05:17:04 AM MST Last Seen Fri 22 Jun 2012 05:17:21 AM MST Local ID fbbceeec-ca7e-45aa-a98c-10af1e02c4c2 Raw Audit Messages type=AVC msg=audit(1340367441.425:74): avc: denied { read } for pid=1428 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1340367441.425:74): arch=x86_64 syscall=open success=no exit=EACCES a0=7f8c79da96bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,read audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file read; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file read;
SELinux is preventing /usr/bin/perl from open access on the file /etc/group. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed open access on the group file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/group [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-212.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 12 First Seen Fri 01 Jun 2012 04:03:12 PM MST Last Seen Fri 22 Jun 2012 05:31:27 AM MST Local ID f4f9dd7f-784e-42d0-a216-7dccc182eec4 Raw Audit Messages type=AVC msg=audit(1340368287.204:167): avc: denied { open } for pid=1706 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1340368287.204:167): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff269ad16bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1706 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,open audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file open; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file open;
SELinux is preventing /usr/bin/perl from getattr access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed getattr access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. Additional Information: Source Context system_u:system_r:postgrey_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source /usr/sbin/postg Source Path /usr/bin/perl Port <Unknown> Host charybdis.ellipsis.cx Source RPM Packages perl-5.14.2-212.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-132.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name charybdis.ellipsis.cx Platform Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Fri 22 Jun 2012 05:36:43 AM MST Last Seen Fri 22 Jun 2012 05:36:43 AM MST Local ID d8858ae1-8072-4aeb-b781-f04589cf7ec4 Raw Audit Messages type=AVC msg=audit(1340368603.844:207): avc: denied { getattr } for pid=1797 comm="/usr/sbin/postg" path="/etc/passwd" dev="dm-0" ino=3673277 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1340368603.844:207): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7fffbe710c60 a2=7fffbe710c60 a3=0 items=0 ppid=1796 pid=1797 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null) Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,getattr audit2allow #============= postgrey_t ============== allow postgrey_t passwd_file_t:file getattr; audit2allow -R #============= postgrey_t ============== allow postgrey_t passwd_file_t:file getattr;
I have this fixed in F18 policy.
(In reply to comment #11) > I have this fixed in F18 policy. Cool, is that going to be backported to F17?
Yeap, just building a new build with the fix.
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.10.0-134.fc17 has fixed the problem for me. Thanks.