Bug 1840880

Summary: fetchmail cannot remove stale /var/spool/mail/.fetchmail.pid file
Product: [Fedora] Fedora Reporter: guilde.nt
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 32CC: anon.amish, dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vcrhonek, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-40.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1853389 (view as bug list) Environment:
Last Closed: 2020-06-11 22:57:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description guilde.nt 2020-05-27 19:11:03 UTC 
Description of problem:

fetchmail is not started at boot if it finds /var/spool/mail/.fetchmail.pid.

May 27 09:36:36 alpha audit[977]: AVC avc:  denied  { unlink } for  pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
May 27 09:36:36 alpha audit[977]: AVC avc:  denied  { write } for  pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
May 27 09:36:36 alpha fetchmail[977]: fetchmail: removing stale lockfile
May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied
May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied
May 27 09:36:36 alpha systemd[1]: fetchmail.service: Main process exited, code=exited, status=8/n/a
May 27 09:36:36 alpha systemd[1]: fetchmail.service: Failed with result 'exit-code'.
May 27 09:36:36 alpha audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fetchmail comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


Version-Release number of selected component (if applicable):

fetchmail-6.4.1-2.fc32.x86_64


How reproducible:

Whenever /var/spool/mail/.fetchmail.pid is left behind.


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2020-05-28 08:22:42 UTC 
Thank you for the bug report. I guess that this needs to be fixed in SELinux policy.
Comment 2 Milos Malik 2020-05-28 09:34:13 UTC 
The .fetchmail.pid file is created with a different context than what is expected by restorecon.

# service fetchmail start
Redirecting to /bin/systemctl start fetchmail.service
# service fetchmail status
Redirecting to /bin/systemctl status fetchmail.service
● fetchmail.service - A remote-mail retrieval utility
     Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1s ago
   Main PID: 18688 (fetchmail)
      Tasks: 1 (limit: 2340)
     Memory: 920.0K
        CPU: 10ms
     CGroup: /system.slice/fetchmail.service
             └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example

May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility.
# find /var/spool/ -name \*pid\*
/var/spool/postfix/pid
/var/spool/postfix/pid/master.pid
/var/spool/mail/.fetchmail.pid
# ls -Z /var/spool/mail/.fetchmail.pid
system_u:object_r:fetchmail_uidl_cache_t:s0 /var/spool/mail/.fetchmail.pid
# matchpathcon /var/spool/mail/.fetchmail.pid
/var/spool/mail/.fetchmail.pid	system_u:object_r:mail_spool_t:s0
# restorecon -Rv /var/spool/mail/
Relabeled /var/spool/mail/.fetchmail.pid from system_u:object_r:fetchmail_uidl_cache_t:s0 to system_u:object_r:mail_spool_t:s0
# service fetchmail status
Redirecting to /bin/systemctl status fetchmail.service
● fetchmail.service - A remote-mail retrieval utility
     Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1min 6s ago
   Main PID: 18688 (fetchmail)
      Tasks: 1 (limit: 2340)
     Memory: 920.0K
        CPU: 10ms
     CGroup: /system.slice/fetchmail.service
             └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example

May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility.
# service fetchmail stop
Redirecting to /bin/systemctl stop fetchmail.service
# ausearch -m avc -i 
----
type=AVC msg=audit(05/28/2020 05:28:01.188:476) : avc:  denied  { unlink } for  pid=18688 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
#

After running the "restorecon -Rv /var/spool/mail" command, which corrects the labels according to file context patterns, the fetchmail service is not able to delete its PID file.
Comment 3 Milos Malik 2020-05-28 09:37:35 UTC 
If the PID file exists and it is labeled mail_spool_t, then the fetchmail service cannot start again. Following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(05/28/2020 05:35:43.493:486) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:35:43.493:486) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:35:43.493:486) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x7f41e5346840 a3=0x1 items=2 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:35:43.493:486) : avc:  denied  { unlink } for  pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(05/28/2020 05:35:43.496:487) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:35:43.496:487) : item=0 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:35:43.496:487) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:35:43.496:487) : arch=x86_64 syscall=truncate success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x0 a3=0x7f41e5617483 items=1 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:35:43.496:487) : avc:  denied  { write } for  pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----
Comment 4 Milos Malik 2020-05-28 09:40:07 UTC 
The only SELinux denial that appears in permissive mode is:
----
type=PROCTITLE msg=audit(05/28/2020 05:38:59.398:492) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:38:59.398:492) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:38:59.398:492) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x564c56d871f0 a1=0x0 a2=0x7fed835f9840 a3=0x1 items=2 ppid=1 pid=18859 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:38:59.398:492) : avc:  denied  { unlink } for  pid=18859 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1 
----
Comment 5 Milos Malik 2020-05-28 09:46:19 UTC 
# matchpathcon /var/spool/
/var/spool	system_u:object_r:var_spool_t:s0
# matchpathcon /var/spool/mail/
/var/spool/mail	system_u:object_r:mail_spool_t:s0
# sesearch -s fetchmail_t -t mail_spool_t -T
type_transition fetchmail_t mail_spool_t:file fetchmail_uidl_cache_t;
# 

It seems that file context pattern for "/var/spool/mail/.fetchmail.pid" is missing:

# semanage fcontext -l | grep fetchmail_uidl_cache_t
/var/lib/fetchmail(/.*)?                           all files          system_u:object_r:fetchmail_uidl_cache_t:s0 
/var/mail/\.fetchmail-UIDL-cache                   regular file       system_u:object_r:fetchmail_uidl_cache_t:s0 
#
Comment 8 Milos Malik 2020-05-28 10:05:22 UTC 
Good catch, nt.guilde!
Comment 10 Zdenek Pytela 2020-06-02 14:06:41 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/257
Comment 11 Lukas Vrabec 2020-06-03 08:44:26 UTC 
commit 22a72723552b1c4bc6dd42f7f55fd9dd42426c3c (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Tue Jun 2 15:30:17 2020 +0200

    Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid
    
    Resolves: rhbz#1840880
Comment 12 Fedora Update System 2020-06-05 13:42:20 UTC 
FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de
Comment 13 Fedora Update System 2020-06-08 01:46:09 UTC 
FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 14 Fedora Update System 2020-06-11 22:57:18 UTC 
selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.