Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1380883
| Summary: | SELinux is preventing master from 'read' accesses on the lnk_file log. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | cfergeau, dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, viorel.tabara |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:54b231afa5d15027339a5eee7a2a037491b97dc1bd646397d0bcd8194d8f2e95;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-24 20:45:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
also seeing this after installing and activating postfix: postfix-3.1.3-1.fc25.x86_64 selinux-policy-3.13.1-216.fc25.noarch Confirmed that my mail server sees a ton of these after upgrade to F25:
[root@mail /]# journalctl -b | grep AVC | head -25
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc: denied { read } for pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc: denied { read } for pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[653]: AVC avc: denied { read } for pid=653 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc: denied { read } for pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc: denied { read } for pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc: denied { read } for pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[713]: AVC avc: denied { read } for pid=713 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[714]: AVC avc: denied { read } for pid=714 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[717]: AVC avc: denied { read } for pid=717 comm="qmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[716]: AVC avc: denied { read } for pid=716 comm="pickup" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:47 mail.happyassassin.net audit[463]: AVC avc: denied { write } for pid=463 comm="spamd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[756]: AVC avc: denied { read } for pid=756 comm="proxymap" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[757]: AVC avc: denied { read } for pid=757 comm="tlsmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[758]: AVC avc: denied { read } for pid=758 comm="anvil" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc: denied { read } for pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
and they're ongoing. It may be trying to do something in /run ?
*** This bug has been marked as a duplicate of bug 1383867 *** |
Description of problem: Showed up on boot of my main desktop, current F25. SELinux is preventing master from 'read' accesses on the lnk_file log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that master should be allowed read access on the log lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'master' --raw | audit2allow -M my-master # semodule -X 300 -i my-master.pp Additional Information: Source Context system_u:system_r:postfix_master_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects log [ lnk_file ] Source master Source Path master Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-216.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc8.git0.1.fc25.x86_64 #1 SMP Mon Sep 26 17:12:24 UTC 2016 x86_64 x86_64 Alert Count 495 First Seen 2016-08-02 15:25:38 PDT Last Seen 2016-09-30 19:32:05 PDT Local ID cca5d7c6-ccf3-4024-ae8c-26ff08634e24 Raw Audit Messages type=AVC msg=audit(1475289125.88:167): avc: denied { read } for pid=1503 comm="master" name="log" dev="tmpfs" ino=22118 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0 Hash: master,postfix_master_t,tmpfs_t,lnk_file,read Version-Release number of selected component: selinux-policy-3.13.1-216.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc8.git0.1.fc25.x86_64 type: libreport