Bug 827637 - SELinux prevents postgrey from starting
SELinux prevents postgrey from starting
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Matthias Saou
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-01 18:49 EDT by Joel Uckelman
Modified: 2012-07-16 14:27 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-30 17:52:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joel Uckelman 2012-06-01 18:49:31 EDT
Description of problem:

[root@charybdis etc]# sealert -l 42d05a04-04ab-44b3-a9e1-5f5ee362cbc0
WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:2155): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
SELinux is preventing /usr/bin/perl from read access on the file /etc/group.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed read access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/group [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-211.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1
                              SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   30
First Seen                    Fri 01 Jun 2012 03:13:18 PM MST
Last Seen                     Fri 01 Jun 2012 03:45:01 PM MST
Local ID                      42d05a04-04ab-44b3-a9e1-5f5ee362cbc0

Raw Audit Messages
type=AVC msg=audit(1338590701.228:228): avc:  denied  { read } for  pid=2133 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1338590701.228:228): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb2a26f86bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,read

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file read;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file read;



Version-Release number of selected component (if applicable):

postgrey-1.34-3.fc17.noarch
selinux-policy-targeted-3.10.0-125.fc17.noarch

How reproducible:

Always.

Steps to Reproduce:
1. systemctl start postgrey.service
2.
3.
  
Actual results:

SELinux violation.


Expected results:

No SELinux violation.
Comment 1 Joel Uckelman 2012-06-01 19:04:07 EDT
More:

SELinux is preventing /usr/bin/perl from open access on the file /etc/group.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed open access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/group [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-211.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1
                              SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   6
First Seen                    Fri 01 Jun 2012 04:03:12 PM MST
Last Seen                     Fri 01 Jun 2012 04:03:18 PM MST
Local ID                      f4f9dd7f-784e-42d0-a216-7dccc182eec4

Raw Audit Messages
type=AVC msg=audit(1338591798.476:329): avc:  denied  { open } for  pid=3111 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1338591798.476:329): arch=x86_64 syscall=open success=no exit=EACCES a0=7fa9fe8886bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=3111 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,open

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file open;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file open;
Comment 2 Joel Uckelman 2012-06-01 19:06:24 EDT
SELinux is preventing /usr/bin/perl from getattr access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-211.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-125.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.3.7-1.fc17.x86_64 #1
                              SMP Mon May 21 22:32:19 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 01 Jun 2012 04:05:50 PM MST
Last Seen                     Fri 01 Jun 2012 04:05:50 PM MST
Local ID                      38cc17be-b522-44a2-a487-2ddc38c30ab1

Raw Audit Messages
type=AVC msg=audit(1338591950.765:346): avc:  denied  { getattr } for  pid=3150 comm="/usr/sbin/postg" path="/etc/passwd" dev="dm-0" ino=3673277 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1338591950.765:346): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7fff889ec2d0 a2=7fff889ec2d0 a3=0 items=0 ppid=1 pid=3150 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,getattr

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file getattr;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file getattr;
Comment 3 Joel Uckelman 2012-06-01 19:23:14 EDT
Running audit2allow on these three was sufficient to get postgrey working again. (It was fine in F16.)
Comment 4 Daniel Walsh 2012-06-04 11:34:07 EDT
Fixed in selinux-policy-3.10.0-129.fc17
Comment 5 Fedora Update System 2012-06-11 17:03:27 EDT
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 6 Fedora Update System 2012-06-15 20:00:20 EDT
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-06-16 20:05:15 EDT
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Joel Uckelman 2012-06-22 08:24:24 EDT
I installed selinux-policy-targeted-3.10.0-132.fc17 and am having exactly the same problem as before:

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed read access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/group [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-212.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1
                              SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   11
First Seen                    Fri 22 Jun 2012 05:17:04 AM MST
Last Seen                     Fri 22 Jun 2012 05:17:21 AM MST
Local ID                      fbbceeec-ca7e-45aa-a98c-10af1e02c4c2

Raw Audit Messages
type=AVC msg=audit(1340367441.425:74): avc:  denied  { read } for  pid=1428 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1340367441.425:74): arch=x86_64 syscall=open success=no exit=EACCES a0=7f8c79da96bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,read

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file read;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file read;
Comment 9 Joel Uckelman 2012-06-22 08:34:16 EDT
SELinux is preventing /usr/bin/perl from open access on the file /etc/group.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed open access on the group file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/group [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-212.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1
                              SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   12
First Seen                    Fri 01 Jun 2012 04:03:12 PM MST
Last Seen                     Fri 22 Jun 2012 05:31:27 AM MST
Local ID                      f4f9dd7f-784e-42d0-a216-7dccc182eec4

Raw Audit Messages
type=AVC msg=audit(1340368287.204:167): avc:  denied  { open } for  pid=1706 comm="/usr/sbin/postg" name="group" dev="dm-0" ino=3671175 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1340368287.204:167): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff269ad16bf a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1706 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,open

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file open;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file open;
Comment 10 Joel Uckelman 2012-06-22 08:37:12 EDT
SELinux is preventing /usr/bin/perl from getattr access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep /usr/sbin/postg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                system_u:system_r:postgrey_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        /usr/sbin/postg
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          charybdis.ellipsis.cx
Source RPM Packages           perl-5.14.2-212.fc17.x86_64
Target RPM Packages           setup-2.8.48-1.fc17.noarch
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     charybdis.ellipsis.cx
Platform                      Linux charybdis.ellipsis.cx 3.4.3-1.fc17.x86_64 #1
                              SMP Mon Jun 18 19:53:17 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 22 Jun 2012 05:36:43 AM MST
Last Seen                     Fri 22 Jun 2012 05:36:43 AM MST
Local ID                      d8858ae1-8072-4aeb-b781-f04589cf7ec4

Raw Audit Messages
type=AVC msg=audit(1340368603.844:207): avc:  denied  { getattr } for  pid=1797 comm="/usr/sbin/postg" path="/etc/passwd" dev="dm-0" ino=3673277 scontext=system_u:system_r:postgrey_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1340368603.844:207): arch=x86_64 syscall=fstat success=no exit=EACCES a0=6 a1=7fffbe710c60 a2=7fffbe710c60 a3=0 items=0 ppid=1796 pid=1797 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/postg exe=/usr/bin/perl subj=system_u:system_r:postgrey_t:s0 key=(null)

Hash: /usr/sbin/postg,postgrey_t,passwd_file_t,file,getattr

audit2allow

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file getattr;

audit2allow -R

#============= postgrey_t ==============
allow postgrey_t passwd_file_t:file getattr;
Comment 11 Daniel Walsh 2012-06-22 10:51:06 EDT
I have this fixed in F18 policy.
Comment 12 Joel Uckelman 2012-06-22 11:02:33 EDT
(In reply to comment #11)
> I have this fixed in F18 policy.

Cool, is that going to be backported to F17?
Comment 13 Miroslav Grepl 2012-06-22 11:26:08 EDT
Yeap, just building a new build with the fix.
Comment 14 Fedora Update System 2012-06-26 17:48:14 EDT
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Comment 15 Fedora Update System 2012-06-27 23:38:26 EDT
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2012-06-30 17:52:01 EDT
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Joel Uckelman 2012-07-16 14:27:36 EDT
selinux-policy-3.10.0-134.fc17 has fixed the problem for me. Thanks.

Note You need to log in before you can comment on or make changes to this bug.