1383867 – SELinux is preventing pickup from 'read' accesses on the lnk_file log.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1383867 - SELinux is preventing pickup from 'read' accesses on the lnk_file log.

Summary: SELinux is preventing pickup from 'read' accesses on the lnk_file log.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:371c6e2d024d44d3bb297fac0a7...
Duplicates (4):	1378121 1380883 1386928 1386929 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-12 02:29 UTC by Wolfgang Rupprecht
Modified:	2016-12-20 11:21 UTC (History)
CC List:	35 users (show)
Fixed In Version:	selinux-policy-3.13.1-225.1.fc25
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-08 18:22:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Wolfgang Rupprecht 2016-10-12 02:29:45 UTC

Description of problem:
normal postfix startup
SELinux is preventing pickup from 'read' accesses on the lnk_file log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pickup should be allowed read access on the log lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pickup' --raw | audit2allow -M my-pickup
# semodule -X 300 -i my-pickup.pp

Additional Information:
Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                log [ lnk_file ]
Source                        pickup
Source Path                   pickup
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-218.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
                              7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-10-11 19:23:39 PDT
Last Seen                     2016-10-11 19:23:39 PDT
Local ID                      f7ce6433-511f-4b8b-b84e-b043daf18cc8

Raw Audit Messages
type=AVC msg=audit(1476239019.728:353): avc:  denied  { read } for  pid=12520 comm="pickup" name="log" dev="tmpfs" ino=24931 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0


Hash: pickup,postfix_pickup_t,tmpfs_t,lnk_file,read

Version-Release number of selected component:
selinux-policy-3.13.1-218.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.1-1.fc25.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2016-10-13 09:01:31 UTC

Could you add your output of

# ls -dZ /run /run/log/

command?

Thank you.

Comment 2 Wolfgang Rupprecht 2016-10-13 09:10:32 UTC

[root@tosca ~]# ls -dZ /run /run/log/
        system_u:object_r:var_run_t:s0 /run
system_u:object_r:syslogd_var_run_t:s0 /run/log/

This is a system that has been upgraded many times via dnf and whatever the previously approved online upgrade was called.   It is entirely possible some directory permissions were grandfathered from previous versions of fedora.

Comment 3 Adam Williamson 2016-11-03 19:02:07 UTC

Description of problem:
This just happened in the background while I was using the system as usual.

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 4 Ed 2016-11-24 08:21:41 UTC

Daemons or manual sending of mail via the Postfix MTA is causing this issue.

Having the issue since upgrading to Fedora 25.
I can reproduce this multiple times

SELinux is preventing pickup from read access on the lnk_file log.


*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pickup should be allowed read access on the log lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pickup' --raw | audit2allow -M my-pickup
# semodule -X 300 -i my-pickup.pp

Additional Information:
Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                log [ lnk_file ]
Source                        pickup
Source Path                   pickup
Port                          <Unknown>
Host                          ***********
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **********
Platform                      Linux ********* 4.8.8-300.fc25.x86_64 #1
                              SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64
Alert Count                   20
First Seen                    2016-11-23 08:31:29 CET
Last Seen                     2016-11-24 09:03:34 CET
Local ID                      1e404c6c-9298-4a2b-9061-d65ebe8a65d4

Raw Audit Messages
type=AVC msg=audit(1479974614.521:228): avc:  denied  { read } for  pid=1247 comm="pickup" name="log" dev="tmpfs" ino=23942 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0


Hash: pickup,postfix_pickup_t,tmpfs_t,lnk_file,read

ls -dZ /run /run/log/
system_u:object_r:var_run_t:s0 /run
system_u:object_r:syslogd_var_run_t:s0 /run/log/

Comment 5 Adam Williamson 2016-11-24 08:29:30 UTC

I think this may affect many people running postfix on F25, so marking as CommonBugs. Could we get a fix, Lukas? Thanks.

Comment 6 Lukas Vrabec 2016-11-24 12:01:47 UTC

Yes, we can fix it.
But I need to know reproducer and path "log" lnk_file.

Comment 7 Ed 2016-11-24 12:16:59 UTC

Is there something I could do to help on this? If so how?

Happy to help.

I did a strace on a mail command which generates this SELinux notification, but I don't see anything leading to lnk_file.

Except this part.
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 8
connect(8, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied)

Comment 8 Lukas Vrabec 2016-11-24 12:18:48 UTC

Ed, 
Please run:
# ls -Z /dev/log 

THanks.

Comment 9 Ed 2016-11-24 12:19:53 UTC

system_u:object_r:devlog_t:s0 /dev/log

Comment 10 Lukas Vrabec 2016-11-24 12:48:49 UTC

Do we have ani reproducer?

Comment 11 Ronald Verbeek 2016-11-24 12:53:49 UTC

Description of problem:
sealert appeared after upgrading fedora 24 to 25


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 12 Ronald Verbeek 2016-11-24 12:58:16 UTC

I have the same ls -Z output.

Comment 13 Ed 2016-11-24 13:18:17 UTC

(In reply to Ronald Verbeek from comment #11)
> Description of problem:
> sealert appeared after upgrading fedora 24 to 25
> 
> 
> Additional info:
> reporter:       libreport-2.8.0
> hashmarkername: setroubleshoot
> kernel:         4.8.8-300.fc25.x86_64
> type:           libreport

Lukas, I can reproduce it with any application able to send mail trough local postfix.

Saw it yesterday after upgrade F24 to F25 thought it's an accident after upgrade, but noticed this morning again, notification created overnight caused by Logwatch.

reproducible on CLI: echo "Test" | mail -s "Test" a

Comment 14 Adam Williamson 2016-11-24 20:45:32 UTC

*** Bug 1380883 has been marked as a duplicate of this bug. ***

Comment 15 Adam Williamson 2016-11-24 20:46:15 UTC

*** Bug 1383905 has been marked as a duplicate of this bug. ***

Comment 16 Adam Williamson 2016-11-24 20:46:26 UTC

*** Bug 1378121 has been marked as a duplicate of this bug. ***

Comment 17 Adam Williamson 2016-11-24 20:50:47 UTC

I get a ton of these just from booting up and running my mail server box:

[root@mail /]# journalctl -b | grep AVC | head -25
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc:  denied  { read } for  pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc:  denied  { read } for  pid=641 comm="newaliases" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc:  denied  { read } for  pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[641]: AVC avc:  denied  { read } for  pid=641 comm="postalias" name="log" dev="tmpfs" ino=15106 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc:  denied  { read } for  pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc:  denied  { read } for  pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc:  denied  { read } for  pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[647]: AVC avc:  denied  { read } for  pid=647 comm="postfix" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[653]: AVC avc:  denied  { read } for  pid=653 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc:  denied  { read } for  pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[687]: AVC avc:  denied  { read } for  pid=687 comm="postsuper" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc:  denied  { read } for  pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc:  denied  { read } for  pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[712]: AVC avc:  denied  { read } for  pid=712 comm="postlog" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[713]: AVC avc:  denied  { read } for  pid=713 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[714]: AVC avc:  denied  { read } for  pid=714 comm="master" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[717]: AVC avc:  denied  { read } for  pid=717 comm="qmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:46 mail.happyassassin.net audit[716]: AVC avc:  denied  { read } for  pid=716 comm="pickup" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:47 mail.happyassassin.net audit[463]: AVC avc:  denied  { write } for  pid=463 comm="spamd" name="/" dev="vda3" ino=2 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc:  denied  { read } for  pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[756]: AVC avc:  denied  { read } for  pid=756 comm="proxymap" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[757]: AVC avc:  denied  { read } for  pid=757 comm="tlsmgr" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc:  denied  { read } for  pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[758]: AVC avc:  denied  { read } for  pid=758 comm="anvil" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Nov 24 12:35:53 mail.happyassassin.net audit[755]: AVC avc:  denied  { read } for  pid=755 comm="smtpd" name="log" dev="tmpfs" ino=17721 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0

and they continue:

[root@mail /]# journalctl -b | grep AVC | wc -l
222

(a few seconds later)

[root@mail /]# journalctl -b | grep AVC | wc -l
234

/run/initramfs/log is called 'log' and is tmpfs_t , but I'm not sure why it'd need to touch that.

Comment 18 Martin Tessun 2016-11-25 16:27:51 UTC

Description of problem:
After Upgrading to fed25 postfix seems to have some selinux issues in accessing its logfiles. This one is just representative for one postfix process, but postfix, qmgr, local, etc. have the very same selinux alert.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 19 Alan Hamilton 2016-11-26 22:36:21 UTC

Yes, it's definitely /dev/log. Something's happened to the policy for the Postfix modules. Running the modules from the command line doesn't catch it since they're running unconfined rather than in the Postfix contexts.

I caught this using strace on the "local" Postfix process:

2640  connect(6, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Per
mission denied)

And got a corresponding avc:

SELinux is preventing local from read access on the lnk_file log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that local should be allowed read access on the log lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'local' --raw | audit2allow -M my-local
# semodule -X 300 -i my-local.pp


Additional Information:
Source Context                system_u:system_r:postfix_local_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                log [ lnk_file ]
Source                        local
Source Path                   local
Port                          <Unknown>
Host                          ---.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-224.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ---.com
Platform                      Linux ---.com
                              4.8.8-300.fc25.x86_64 #1 SMP Tue Nov 15 18:10:06
                              UTC 2016 x86_64 x86_64
Alert Count                   5
First Seen                    2016-11-26 14:46:52 MST
Last Seen                     2016-11-26 15:07:01 MST
Local ID                      1c4b1eb5-6151-4db2-b4a2-3f331ea26126

Raw Audit Messages
type=AVC msg=audit(1480198021.599:386): avc:  denied  { read } for  pid=2586 comm="local" name="log" dev="tmpfs" ino=76925 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0


Hash: local,postfix_local_t,tmpfs_t,lnk_file,read

Comment 20 Anthony Messina 2016-11-27 11:26:54 UTC

(In reply to Lukas Vrabec from comment #8)
> Ed, 
> Please run:
> # ls -Z /dev/log 
> 
> THanks.

~]# ls -lZ /dev/log
lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 Nov 26 09:40 /dev/log -> /run/systemd/journal/dev-log

Comment 21 Georg Sauthoff 2016-11-27 18:01:41 UTC

I can confirm this issue on freshly installed Fedora 25 system (no upgrade).

Steps to reproduce:

1. install Fedora from scratch
2. install postfix
3. setup basic config
4. systemctl start postfix.service

Actual results: audit log fill up with read denied AVC messages.

Expected results: no AVC messages

The used main.cf works on Fedora 23 system without any issues.

The AVCs are for multiple processes, i.e. newaliases/postalias/postfix/master/postsuper/postlog/pickup/pmgr.

2 different inodes are reported.

Shared attributes are: name=log dev=tmpfs tclass=lnk_file

Comment 22 Georg Sauthoff 2016-11-27 18:25:48 UTC

PS: The `systemctl start postfix.service` doesn't fail, though.

And on `systemctl stop postfix.service` similar read denied (name=log) AVCs are generated.

When stracing the postfix master process during shutdown this happens:

socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 20
connect(20, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied)
close(20)

In contrast, in permissive mode (i.e. `setenforce 0`) strace logs:

sendto(3, "<22>Nov 27 19:13:38 postfix/mast"..., 67, MSG_NOSIGNAL, NULL, 0) = 67

And indeed, in permissive mode some postfix messages make it to the journal during start/stop - unlike enforcing mode, where no postfix messages show up.

~ # ls -Zl /dev/log 
lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 2016-11-27 00:00 /dev/log -> /run/systemd/journal/dev-log
~ # ls -Zl /run/systemd/journal/dev-log
srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 2016-11-27 00:00 /run/systemd/journal/dev-log

Comment 23 Jeff Buhrt 2016-11-28 00:17:55 UTC

Description of problem:
Updated from F24 to F25 and this is the security error I get even after remarking all objects on a reboot.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 24 Mark Wielaard 2016-11-28 10:54:43 UTC

bug #1398007, bug #1395018, bug #1386929 and bug #1386928 are probably all duplicates of this one (or this one is a duplicate of any of those bugs).

Comment 25 Lukas Vrabec 2016-11-29 01:23:21 UTC

I cannot find any link file labeled as tmpfs_t. 
But, postfix looks fine do you see any issues in enforcing mode? I can always dontaudit it. 

olysonek, 
Do you know, what is happening here? 
Postfix tries read "log" lnk_file.

Comment 26 Adam Williamson 2016-11-29 01:38:04 UTC

lvrabec: uh, Georg seems to have nailed things down quite precisely in #c22, and even pointed out the concrete consequence of the problem: "And indeed, in permissive mode some postfix messages make it to the journal during start/stop - unlike enforcing mode, where no postfix messages show up."

Comment 27 Anthony Messina 2016-11-29 01:42:30 UTC

Nevermind comment #20 ;)  Lukas, isn't it that /dev/log is symlinked to /run/systemd/journal/dev-log (which is on tmpfs)?  

~]# ls -lZ /dev/log
lrwxrwxrwx. 1 root root system_u:object_r:devlog_t:s0 28 Nov 26 09:40 /dev/log -> /run/systemd/journal/dev-log

Comment 28 Lukas Vrabec 2016-11-29 12:32:49 UTC

Okay we have fix for this issue. 

postfix service file creating own mount-namespace. This means that, /dev is labeled as tmpfs_t in namespace. Adding following transition:

type_transition init_t tmpfs_t : lnk_file devlog_t "log"; 

Fixes the issue. 

Moving to POST state, update will be available ASAP.

Comment 29 Lukas Vrabec 2016-11-29 12:41:56 UTC

*** Bug 1395018 has been marked as a duplicate of this bug. ***

Comment 30 Lukas Vrabec 2016-11-29 12:42:02 UTC

*** Bug 1386929 has been marked as a duplicate of this bug. ***

Comment 31 Lukas Vrabec 2016-11-29 12:42:06 UTC

*** Bug 1386928 has been marked as a duplicate of this bug. ***

Comment 32 Fedora Update System 2016-11-29 17:03:53 UTC

selinux-policy-3.13.1-225.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768

Comment 33 Brian J. Murrell 2016-11-30 06:22:54 UTC

Description of problem:
Not really sure what caused this.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.8-300.fc25.x86_64
type:           libreport

Comment 34 Colin J Thomson 2016-11-30 14:30:19 UTC

selinux-policy-3.13.1-225.fc25 fixes the postfix warnings I was seeing.

Comment 35 W Agtail 2016-12-01 15:25:12 UTC

Description of problem:
systemctl start postfix produces several SELinux alerts:


Dec  1 15:21:05 eagle systemd: Starting Postfix Mail Transport Agent...
Dec  1 15:21:05 eagle audit: AVC avc:  denied  { read } for  pid=7173 comm="postfix" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:05 eagle audit: AVC avc:  denied  { read } for  pid=7179 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:05 eagle audit: AVC avc:  denied  { read } for  pid=7213 comm="postsuper" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:05 eagle audit: AVC avc:  denied  { read } for  pid=7213 comm="postsuper" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle audit: AVC avc:  denied  { read } for  pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle audit: AVC avc:  denied  { read } for  pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle audit: AVC avc:  denied  { read } for  pid=7238 comm="postlog" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle audit: AVC avc:  denied  { read } for  pid=7239 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle audit: AVC avc:  denied  { read } for  pid=7240 comm="master" name="log" dev="tmpfs" ino=234068 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0
Dec  1 15:21:06 eagle systemd: Started Postfix Mail Transport Agent.


Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 36 Viorel Tabara 2016-12-01 15:32:43 UTC

(In reply to W Agtail from comment #35)
> Description of problem:
> systemctl start postfix produces several SELinux alerts:
> 
[...]
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-224.fc25.noarch

You should upgrade to latest in testing. See above comments.

Comment 37 Brian J. Murrell 2016-12-02 11:57:59 UTC

(In reply to Viorel Tabara from comment #36)
> (In reply to W Agtail from comment #35)
> > Description of problem:
> > systemctl start postfix produces several SELinux alerts:
> > 
> [...]
> > 
> > Version-Release number of selected component:
> > selinux-policy-3.13.1-224.fc25.noarch
> 
> You should upgrade to latest in testing. See above comments.

I don't see this in testing, even as of right now.

https://muug.ca/mirror/fedora/linux/updates/testing/25/x86_64/s/

Comment 38 Viorel Tabara 2016-12-02 15:47:14 UTC

(In reply to Brian J. Murrell from comment #37)
> I don't see this in testing, even as of right now.

All mirrors will get updated, eventually. Follow the Bodhi link in c#32 and 
download RPMs manually from Koji:

   omiday ~ $ koji search rpm "selinux*225.fc25*"
   selinux-policy-3.13.1-225.fc25.src.rpm
   selinux-policy-3.13.1-225.fc25.noarch.rpm
   selinux-policy-devel-3.13.1-225.fc25.noarch.rpm
   selinux-policy-doc-3.13.1-225.fc25.noarch.rpm
   selinux-policy-minimum-3.13.1-225.fc25.noarch.rpm
   selinux-policy-mls-3.13.1-225.fc25.noarch.rpm
   selinux-policy-sandbox-3.13.1-225.fc25.noarch.rpm
   selinux-policy-targeted-3.13.1-225.fc25.noarch.rpm

Comment 39 Fedora Update System 2016-12-03 04:31:28 UTC

selinux-policy-3.13.1-225.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9d027c3768

Comment 40 Michael Hampton 2016-12-04 00:14:42 UTC

Description of problem:
Upgraded from F24 to F25

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 41 Fedora Update System 2016-12-05 17:02:23 UTC

selinux-policy-3.13.1-225.1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972

Comment 42 Mark Ito 2016-12-06 00:40:49 UTC

Description of problem:
Started postfix. 

 sudo systemctl start postfix

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 43 Michel van der List 2016-12-06 17:00:53 UTC

Description of problem:
Looks like a policy for some postfix functionality is missing in F25.

Version-Release number of selected component:
selinux-policy-3.13.1-224.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.10-300.fc25.x86_64
type:           libreport

Comment 44 Fedora Update System 2016-12-07 02:25:38 UTC

selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e3864b8972

Comment 45 Ed 2016-12-07 10:47:26 UTC

I can confirm the bug has been fixed in selinux-policy-3.13.1-225.1.fc25 and I do have proper output in my journalctl for postfix again!

I have downloaded the files with koji-util ( package ) since it wasn't on the mirrors for me yet.

And did a local dnf update of my selinux-policy-3.13.1-225.1.fc25 and selinux-policy-targeted.3.13.1-225.1.fc25 rpm's

( I have to note, on my first try I had some problems, and my system wasn't able to boot properly after updating these packages! ( it hang on the targeted policies during ), I disabled selinux in /etc/selinux/config, rebooted again, booted up fine, did a rollback to the older packages, set it to Enforcing selinux again, rebooted ( causing a relabel since I set it to Enforcing ) updated the same packages again, rebooted and all was fine! ).
Can't reproduce this again since my second try was fine.... the package fixes the problem.

Comment 46 Michael Hampton 2016-12-07 16:40:41 UTC

+1 it fixes the problem.

Ed, please remember to leave feedback and karma in bodhi as described in comment 44. That's where it really counts, as that's used to actually decide whether to push the update.

Comment 47 Fedora Update System 2016-12-08 18:22:47 UTC

selinux-policy-3.13.1-225.1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 48 Brian J. Murrell 2016-12-09 12:30:41 UTC

SELinux is preventing pickup from read access on the lnk_file log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pickup should be allowed read access on the log lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pickup' --raw | audit2allow -M my-pickup
# semodule -X 300 -i my-pickup.pp


Additional Information:
Source Context                system_u:system_r:postfix_pickup_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                log [ lnk_file ]
Source                        pickup
Source Path                   pickup
Port                          <Unknown>
Host                          pc.interlinx.bc.ca
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pc.interlinx.bc.ca
Platform                      Linux pc.interlinx.bc.ca 4.8.8-300.fc25.x86_64 #1
                              SMP Tue Nov 15 18:10:06 UTC 2016 x86_64 x86_64
Alert Count                   217
First Seen                    2016-11-30 14:33:04 EST
Last Seen                     2016-12-09 07:11:23 EST
Local ID                      c06a8cc0-0b20-466b-9283-54a7043946de

Raw Audit Messages
type=AVC msg=audit(1481285483.653:10495): avc:  denied  { read } for  pid=6778 comm="pickup" name="log" dev="tmpfs" ino=27301 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=0


Hash: pickup,postfix_pickup_t,tmpfs_t,lnk_file,read

Notice the selinux-policy version above.

Comment 49 Mota Kardeh 2016-12-20 11:21:47 UTC

*** Bug 1406352 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

alanh
amessina
awilliam
brian
buhrt
cfergeau
crash70
dominick.grift
dwalsh
error
esm
e.vanberkum
evoke
fedora2009
fedora
glandvador
gustavo
j.orti.alcaine
lvrabec
markito3
mgrepl
michel
mjw
mkardeh
mrunge
mtessun
olysonek
pfrields
plautrba
pmoore
rjt
rvdwees
santiago
viorel.tabara
wolfgang.rupprecht