Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=480129 --- Comment #2 from Erik M Jacobs <ejacobs@xxxxxxxxxx> 2012-03-31 12:45:29 EDT --- OK, looking at the topic of the bug, it says "only in enforcing mode." I can confirm that the issue does not present in permissive mode: [root@shrugged ~]$ setenforce permissive [root@shrugged ~]$ service amavisd restart Shutting down amavisd: Daemon [28225] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] [root@shrugged ~]$ setenforce enforcing [root@shrugged ~]$ service amavisd restart Shutting down amavisd: Error: /proc must be mounted To mount /proc at boot you need an /etc/fstab line like: /proc /proc proc defaults In the meantime, run "mount /proc /proc -t proc" Daemon [28261] terminated by SIGTERM [ OK ] amavisd stopped Starting amavisd: [ OK ] Here is the painful irony: In enforcing mode, there are no denials logged!! the system needs to be in permissive mode in order to even see the AVC denials: type=MAC_STATUS msg=audit(1333211543.148:58687): enforcing=0 old_enforcing=1 auid=501 ses=8891 type=SYSCALL msg=audit(1333211543.148:58687): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffcc69c460 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28239 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58688): avc: denied { read } for pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58689): avc: denied { lock } for pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=MAC_STATUS msg=audit(1333211551.191:58690): enforcing=1 old_enforcing=0 auid=501 ses=8891 type=SYSCALL msg=audit(1333211551.191:58690): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffa8f0fce0 a2=1 a3=30733a745f6465 items=0 ppid=27960 pid=28269 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="setenforce" exe="/usr/sbin/setenforce" subj=user_u:system_r:unconfined_t:s0 key=(null) So, it looks like there are selinux issues with trying to access uptime: [root@shrugged ~]$ ausearch -m avc -ts 12:00 ---- time->Sat Mar 31 16:32:26 2012 type=SYSCALL msg=audit(1333211546.444:58689): arch=c000003e syscall=72 success=yes exit=0 a0=4 a1=7 a2=7fff2445b700 a3=8 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58689): avc: denied { lock } for pid=28254 comm="uptime" path="/var/run/utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file ---- time->Sat Mar 31 16:32:26 2012 type=SYSCALL msg=audit(1333211546.444:58688): arch=c000003e syscall=2 success=yes exit=4 a0=340a1220f2 a1=0 a2=2 a3=0 items=0 ppid=28253 pid=28254 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8891 comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:amavis_t:s0 key=(null) type=AVC msg=audit(1333211546.444:58688): avc: denied { read } for pid=28254 comm="uptime" name="utmp" dev=md1 ino=357728263 scontext=user_u:system_r:amavis_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Into audit2allow: #============= amavis_t ============== allow amavis_t initrc_var_run_t:file { read lock }; Now, I'm not sure if this should be default SELinux policy or not, or if there should be a boolean... but this is what's causing the issue. It's not in amavis, and I'll be updating the bug appropriately. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
