| Summary: | SELinux is preventing /usr/bin/fetchmail from getattr access on the file /etc/krb5.conf. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | DaveG <daveg> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.7-46.fc14 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-30 00:34:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Did you setup fetchmail to use kerberos? No, kerberos is only installed for package requirements - not used by any authentication mechanism or by any fetchmail connection configurations. fetchmail does include kerberos to support APOP & GSSAPI authentication for outgoing connections. For reference: # rpm -qf /etc/krb5.conf krb5-libs-1.8.4-2.fc14.i686 # rpm -qa 'krb*' krb5-libs-1.8.4-2.fc14.i686 krb5-workstation-1.8.4-2.fc14.i686 # rpm -q fetchmail fetchmail-6.3.20-1.fc14.i686 # rpm -V krb5-libs krb5-workstation fetchmail (no errors) # ls -lZ /etc/krb5.conf -rw-r--r--. root root system_u:object_r:krb5_conf_t:s0 /etc/krb5.conf -- DaveG. Looks like fetchmail is just listing the contents of /etc then, I would guess. After a quick look at fetchmail, it is linked with a number of krb5 libraries and probably tries to initialise kerberos context, principal names, realms etc. at the start of each mail collection run. The spec file builds fetchmail with %configure ... --with-kerberos5 ... My use case may be a factor - I run fetchmail as a daemon service from an init script and set uid/gid to an unprivileged user, /sbin/nologin. Would a "normal" user need additional privileges to use kerberos? Hopefully the solution is to just add a kerberos macro to the fetchmail SELinux module. Interface "kerberos_use"? Not sure what the implications would be regarding security or confinement. There is a "kerberos_read_config" macro that would probably fit my use case with minimal implications elsewhere. Someone may need to investigate what would be needed for full kerberos support (preferably someone familiar with how it works). --DaveG. I would just add kerberos_use() Which I added to the Rawhide Policy. Miroslav can you add it to F14-16 and RHEL6. Fixed in selinux-policy-3.9.16-37.fc15 selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14 Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback). selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. |
Pasted: email from headless server. Kerberos is not used locally or in any configured email collections. SELinux is preventing /usr/bin/fetchmail from getattr access on the file /etc/krb5.conf. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that fetchmail should be allowed getattr access on the krb5.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fetchmail_t:s0 Target Context system_u:object_r:krb5_conf_t:s0 Target Objects /etc/krb5.conf [ file ] Source fetchmail Source Path /usr/bin/fetchmail Port <Unknown> Host holly.localnet Source RPM Packages fetchmail-6.3.20-1.fc14 Target RPM Packages krb5-libs-1.8.4-2.fc14 Policy RPM selinux-policy-3.9.7-42.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name holly.localnet Platform Linux holly.localnet 2.6.35.13-92.fc14.i686.PAE #1 SMP Sat May 21 17:33:09 UTC 2011 i686 i686 Alert Count 16 First Seen Wed Jul 27 12:45:26 2011 Last Seen Mon Aug 1 15:54:11 2011 Local ID 425abd26-b2c8-42a9-9d63-b5b3487070fe Raw Audit Messages type=AVC msg=audit(1312210451.698:22924): avc: denied { getattr } for pid=1685 comm="fetchmail" path="/etc/krb5.conf" dev=dm-0 ino=9415 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=SYSCALL msg=audit(1312210451.698:22924): arch=i386 syscall=stat64 success=no exit=EACCES a0=a07b958 a1=bfb95efc a2=c01ff4 a3=3 items=0 ppid=1 pid=1685 auid=4294967295 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) Hash: fetchmail,fetchmail_t,krb5_conf_t,file,getattr audit2allow #============= fetchmail_t ============== allow fetchmail_t krb5_conf_t:file getattr; audit2allow -R #============= fetchmail_t ============== allow fetchmail_t krb5_conf_t:file getattr;