Bug 1009096 - selinux and fetchmail
selinux and fetchmail
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-17 12:47 EDT by W Agtail
Modified: 2013-09-29 20:34 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.8.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-29 20:34:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W Agtail 2013-09-17 12:47:11 EDT
Description of problem:
fetchmail is unable to run correctly with selinux enabled

Version-Release number of selected component (if applicable):
f19
rpm -q fetchmail selinux-policy
fetchmail-6.3.24-3.fc19.x86_64
selinux-policy-3.12.1-74.1.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
1. configure fetchmail to start in /sbin/ifup-local
2.
3.

Actual results:
Refer to Bug 989704, comment 18

Expected results:
fetchmail to start via /sbin/ifup-local and deliver email via mda without any issues.

Additional info:
Comment 1 Daniel Walsh 2013-09-17 13:50:18 EDT
What AVCs are you seeing?
Comment 2 W Agtail 2013-09-17 14:01:45 EDT
SELinux is preventing /usr/bin/bash from execute access on the file /usr/sbin/sendmail.postfix.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed execute access on the sendmail.postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:sendmail_exec_t:s0
Target Objects                /usr/sbin/sendmail.postfix [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          tux19
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           postfix-2.10.1-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.7-200.fc19.x86_64 #1 SMP
                              Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   100
First Seen                    2013-09-07 14:21:43 BST
Last Seen                     2013-09-07 16:19:23 BST
Local ID                      2bc4e48f-925f-4258-a950-10db5f62222f

Raw Audit Messages
type=AVC msg=audit(1378567163.872:943): avc:  denied  { execute } for  pid=16728 comm="sh" name="sendmail.postfix" dev="dm-0" ino=409598 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1378567163.872:943): arch=x86_64 syscall=execve success=no exit=EACCES a0=129b260 a1=129ae80 a2=1299c50 a3=8 items=0 ppid=16676 pid=16728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: sh,fetchmail_t,sendmail_exec_t,file,execute

############################################################################

SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/sendmail.postfix.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the sendmail.postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:sendmail_exec_t:s0
Target Objects                /usr/sbin/sendmail.postfix [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          tux19
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           postfix-2.10.1-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.7-200.fc19.x86_64 #1 SMP
                              Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   106
First Seen                    2013-09-07 14:21:43 BST
Last Seen                     2013-09-07 16:19:23 BST
Local ID                      3f9e9fd2-cc0f-4b50-84aa-5c98e0ea09de

Raw Audit Messages
type=AVC msg=audit(1378567163.872:945): avc:  denied  { getattr } for  pid=16728 comm="sh" path="/usr/sbin/sendmail.postfix" dev="dm-0" ino=409598 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1378567163.872:945): arch=x86_64 syscall=stat success=no exit=EACCES a0=129b260 a1=7fff16075360 a2=7fff16075360 a3=8 items=0 ppid=16676 pid=16728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: sh,fetchmail_t,sendmail_exec_t,file,getattr
Comment 3 Miroslav Grepl 2013-09-18 05:46:50 EDT
commit c63cee90cda94bd05e7b4596e782216c7a4df13b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Sep 18 11:46:13 2013 +0200

    Allow fetchmail to send mails
Comment 4 Fedora Update System 2013-09-26 05:42:21 EDT
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19
Comment 5 Fedora Update System 2013-09-26 20:47:23 EDT
Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-09-29 20:34:45 EDT
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.