Description of problem: SELinux is preventing esmtp from 'read' accesses on the file /.esmtp_queue/4PVJsKZY/mail. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /.esmtp_queue/4PVJsKZY/mail default label should be default_t. Then you can run restorecon. Do # /sbin/restorecon -v /.esmtp_queue/4PVJsKZY/mail ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that esmtp should be allowed read access on the mail file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep esmtp /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:system_mail_t:s0-s0:c0.c1023 Target Context system_u:object_r:root_t:s0 Target Objects /.esmtp_queue/4PVJsKZY/mail [ file ] Source esmtp Source Path esmtp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-84.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.3-302.fc21.i686+PAE #1 SMP Fri Sep 26 14:40:28 UTC 2014 i686 i686 Alert Count 1 First Seen 2014-10-03 17:36:12 YEKT Last Seen 2014-10-03 17:36:12 YEKT Local ID fe5d84eb-4f35-4b2d-a59d-29463181d12d Raw Audit Messages type=AVC msg=audit(1412336172.390:516): avc: denied { read } for pid=4152 comm="esmtp" path="/.esmtp_queue/4PVJsKZY/mail" dev="sda1" ino=2359301 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=0 Hash: esmtp,system_mail_t,root_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-84.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.3-302.fc21.i686+PAE type: libreport Potential duplicate: bug 1140493
Description of problem: I see that esmtp package installed by google-chrome. And I think google-chrome try to use it Version-Release number of selected component: selinux-policy-3.13.1-84.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.3-302.fc21.x86_64+debug type: libreport
Description of problem: Occurs after launching Google Chrome Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.2-300.fc21.i686+PAE type: libreport
* is chrome started as root? * did you somehow cause it to send email?
(In reply to Richard Z. from comment #3) > * is chrome started as root? No > * did you somehow cause it to send email? It doing Chrome or Fedora by itself. No another application was be running and it repeated on different machines usually after Google Chrome update and launching.
this kind of bug usually happens when some system daemon tries to send email with esmtp. So it is mysterious why it would happen when chrome is launched as user process. How did you update chrome?
(In reply to Richard Z. from comment #5) > How did you update chrome? # dnf update
can you see if some of the scriptlets is trying to send mail? rpm -qp --scripts chrome-package.rpm
(In reply to Richard Z. from comment #7) > can you see if some of the scriptlets is trying to send mail? > rpm -qp --scripts chrome-package.rpm [mikhail@localhost Downloads]$ rpm -qp --scripts google-chrome-unstable_current_i386.rpm warning: google-chrome-unstable_current_i386.rpm: Header V4 DSA/SHA1 Signature, key ID 7fac5991: NOKEY preinstall scriptlet (using /bin/sh): exit 0 #------------------------------------------------------------------------------ # Post install script #------------------------------------------------------------------------------ postinstall scriptlet (using /bin/sh): # Add icons to the system icons XDG_ICON_RESOURCE="`which xdg-icon-resource 2> /dev/null || true`" if [ ! -x "$XDG_ICON_RESOURCE" ]; then echo "Error: Could not find xdg-icon-resource" >&2 exit 1 fi for icon in "/opt/google/chrome-unstable/product_logo_"*.png; do size="${icon##*/product_logo_}" "$XDG_ICON_RESOURCE" install --size "${size%.png}" "$icon" "google-chrome" done UPDATE_MENUS="`which update-menus 2> /dev/null || true`" if [ -x "$UPDATE_MENUS" ]; then update-menus fi # Update cache of .desktop file MIME types. Non-fatal since it's just a cache. update-desktop-database > /dev/null 2>&1 || true # Updates defaults.list file if present. update_defaults_list() { # $1: name of the .desktop file local DEFAULTS_FILE="/usr/share/applications/defaults.list" if [ ! -f "${DEFAULTS_FILE}" ]; then return fi # Split key-value pair out of MimeType= line from the .desktop file, # then split semicolon-separated list of mime types (they should not contain # spaces). mime_types="$(grep MimeType= /usr/share/applications/${1} | cut -d '=' -f 2- | tr ';' ' ')" for mime_type in ${mime_types}; do if egrep -q "^${mime_type}=" "${DEFAULTS_FILE}"; then if ! egrep -q "^${mime_type}=.*${1}" "${DEFAULTS_FILE}"; then default_apps="$(grep ${mime_type}= "${DEFAULTS_FILE}" | cut -d '=' -f 2-)" egrep -v "^${mime_type}=" "${DEFAULTS_FILE}" > "${DEFAULTS_FILE}.new" echo "${mime_type}=${default_apps};${1}" >> "${DEFAULTS_FILE}.new" mv "${DEFAULTS_FILE}.new" "${DEFAULTS_FILE}" fi else # If there's no mention of the mime type in the file, add it. echo "${mime_type}=${1};" >> "${DEFAULTS_FILE}" fi done } update_defaults_list "google-chrome.desktop" # This function uses sed to insert the contents of one file into another file, # after the first line matching a given regular expression. If there is no # matching line, then the file is unchanged. insert_after_first_match() { # $1: file to update # $2: regular expression # $3: file to insert sed -i -e "1,/$2/ { /$2/ r $3 }" "$1" } # If /usr/share/gnome-control-center/gnome-default-applications.xml exists, it # may need to be updated to add ourselves to the default applications list. If # we find the file and it does not seem to contain our patch already (the patch # is safe to leave even after uninstall), update it. GNOME_DFL_APPS=/usr/share/gnome-control-center/gnome-default-applications.xml if [ -f "$GNOME_DFL_APPS" ]; then # Conditionally insert the contents of the file "default-app-block" after the # first "<web-browsers>" line we find in gnome-default-applications.xml fgrep -q "Google Chrome (unstable)" "$GNOME_DFL_APPS" || insert_after_first_match \ "$GNOME_DFL_APPS" \ "^[ ]*<web-browsers>[ ]*$" \ "/opt/google/chrome-unstable/default-app-block" fi # System-wide package configuration. DEFAULTS_FILE="/etc/default/google-chrome" # sources.list setting for google-chrome updates. REPOCONFIG="http://dl.google.com/linux/chrome/rpm/stable" # Install the repository signing key (see also: # http://www.google.com/linuxrepositories/aboutkey.html) install_rpm_key() { # Check to see if key already exists. rpm -q gpg-pubkey-7fac5991-4615767f > /dev/null 2>&1 if [ "$?" -eq "0" ]; then # Key already exists return 0 fi # This is to work around a bug in RPM 4.7.0. (see http://crbug.com/22312) rpm -q gpg-pubkey-7fac5991-45f06f46 > /dev/null 2>&1 if [ "$?" -eq "0" ]; then # Key already exists return 0 fi # RPM on Mandriva 2009 is dumb and does not understand "rpm --import -" TMPKEY=$(mktemp /tmp/google.sig.XXXXXX) if [ -n "$TMPKEY" ]; then cat > "$TMPKEY" <<KEYDATA -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) mQGiBEXwb0YRBADQva2NLpYXxgjNkbuP0LnPoEXruGmvi3XMIxjEUFuGNCP4Rj/a kv2E5VixBP1vcQFDRJ+p1puh8NU0XERlhpyZrVMzzS/RdWdyXf7E5S8oqNXsoD1z fvmI+i9b2EhHAA19Kgw7ifV8vMa4tkwslEmcTiwiw8lyUl28Wh4Et8SxzwCggDcA feGqtn3PP5YAdD0km4S4XeMEAJjlrqPoPv2Gf//tfznY2UyS9PUqFCPLHgFLe80u QhI2U5jt6jUKN4fHauvR6z3seSAsh1YyzyZCKxJFEKXCCqnrFSoh4WSJsbFNc4PN b0V0SqiTCkWADZyLT5wll8sWuQ5ylTf3z1ENoHf+G3um3/wk/+xmEHvj9HCTBEXP 78X0A/0Tqlhc2RBnEf+AqxWvM8sk8LzJI/XGjwBvKfXe+l3rnSR2kEAvGzj5Sg0X 4XmfTg4Jl8BNjWyvm2Wmjfet41LPmYJKsux3g0b8yzQxeOA4pQKKAU3Z4+rgzGmf HdwCG5MNT2A5XxD/eDd+L4fRx0HbFkIQoAi1J3YWQSiTk15fw7RMR29vZ2xlLCBJ bmMuIExpbnV4IFBhY2thZ2UgU2lnbmluZyBLZXkgPGxpbnV4LXBhY2thZ2VzLWtl eW1hc3RlckBnb29nbGUuY29tPohjBBMRAgAjAhsDBgsJCAcDAgQVAggDBBYCAwEC HgECF4AFAkYVdn8CGQEACgkQoECDD3+sWZHKSgCfdq3HtNYJLv+XZleb6HN4zOcF AJEAniSFbuv8V5FSHxeRimHx25671az+uQINBEXwb0sQCACuA8HT2nr+FM5y/kzI A51ZcC46KFtIDgjQJ31Q3OrkYP8LbxOpKMRIzvOZrsjOlFmDVqitiVc7qj3lYp6U rgNVaFv6Qu4bo2/ctjNHDDBdv6nufmusJUWq/9TwieepM/cwnXd+HMxu1XBKRVk9 XyAZ9SvfcW4EtxVgysI+XlptKFa5JCqFM3qJllVohMmr7lMwO8+sxTWTXqxsptJo pZeKz+UBEEqPyw7CUIVYGC9ENEtIMFvAvPqnhj1GS96REMpry+5s9WKuLEaclWpd K3krttbDlY1NaeQUCRvBYZ8iAG9YSLHUHMTuI2oea07Rh4dtIAqPwAX8xn36JAYG 2vgLAAMFB/wKqaycjWAZwIe98Yt0qHsdkpmIbarD9fGiA6kfkK/UxjL/k7tmS4Vm CljrrDZkPSQ/19mpdRcGXtb0NI9+nyM5trweTvtPw+HPkDiJlTaiCcx+izg79Fj9 KcofuNb3lPdXZb9tzf5oDnmm/B+4vkeTuEZJ//IFty8cmvCpzvY+DAz1Vo9rA+Zn cpWY1n6z6oSS9AsyT/IFlWWBZZ17SpMHu+h4Bxy62+AbPHKGSujEGQhWq8ZRoJAT G0KSObnmZ7FwFWu1e9XFoUCt0bSjiJWTIyaObMrWu/LvJ3e9I87HseSJStfw6fki 5og9qFEkMrIrBCp3QGuQWBq/rTdMuwNFiEkEGBECAAkFAkXwb0sCGwwACgkQoECD D3+sWZF/WACfeNAu1/1hwZtUo1bR+MWiCjpvHtwAnA1R3IHqFLQ2X3xJ40XPuAyY /FJG =Quqp -----END PGP PUBLIC KEY BLOCK----- KEYDATA rpm --import "$TMPKEY" rc=$? rm -f "$TMPKEY" if [ "$rc" -eq "0" ]; then return 0 fi fi return 1 } determine_rpm_package_manager() { local RELEASE LSB_RELEASE="$(which lsb_release 2> /dev/null)" if [ -x "$LSB_RELEASE" ]; then RELEASE=$(lsb_release -i 2> /dev/null | sed 's/:\t/:/' | cut -d ':' -f 2-) case $RELEASE in "Fedora") PACKAGEMANAGER=yum ;; "Mageia"|"MandrivaLinux") PACKAGEMANAGER=urpmi ;; "SUSE LINUX") PACKAGEMANAGER=yast ;; esac fi if [ "$PACKAGEMANAGER" ]; then return fi # Fallback methods that are probably unnecessary on modern systems. if [ -f "/etc/lsb-release" ]; then # file missing on Fedora, does not contain DISTRIB_ID on OpenSUSE. eval $(sed -e '/DISTRIB_ID/!d' /etc/lsb-release) case $DISTRIB_ID in MandrivaLinux) PACKAGEMANAGER=urpmi ;; esac fi if [ "$PACKAGEMANAGER" ]; then return fi if [ -f "/etc/fedora-release" ] || [ -f "/etc/redhat-release" ]; then PACKAGEMANAGER=yum elif [ -f "/etc/SuSE-release" ]; then PACKAGEMANAGER=yast elif [ -f "/etc/mandriva-release" ]; then PACKAGEMANAGER=urpmi fi } DEFAULT_ARCH="i386" YUM_REPO_FILE="/etc/yum.repos.d/google-chrome.repo" ZYPPER_REPO_FILE="/etc/zypp/repos.d/google-chrome.repo" URPMI_REPO_FILE="/etc/urpmi/urpmi.cfg" install_yum() { install_rpm_key if [ ! "$REPOCONFIG" ]; then return 0 fi if [ -d "/etc/yum.repos.d" ]; then cat > "$YUM_REPO_FILE" << REPOCONTENT [google-chrome] name=google-chrome baseurl=$REPOCONFIG/$DEFAULT_ARCH enabled=1 gpgcheck=1 REPOCONTENT fi } # This is called by the cron job, rather than in the RPM postinstall. # We cannot do this during the install when urpmi is running due to # database locking. We also need to enable the repository, and we can # only do that while we are online. # see: https://qa.mandriva.com/show_bug.cgi?id=31893 configure_urpmi() { if [ ! "$REPOCONFIG" ]; then return 0 fi urpmq --list-media | grep -q -s "^google-chrome$" if [ "$?" -eq "0" ]; then # Repository already configured return 0 fi urpmi.addmedia --update \ "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } install_urpmi() { # urpmi not smart enough to pull media_info/pubkey from the repository? install_rpm_key # Defer urpmi.addmedia to configure_urpmi() in the cron job. # See comment there. # # urpmi.addmedia --update \ # "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } install_yast() { if [ ! "$REPOCONFIG" ]; then return 0 fi # We defer adding the key to later. See comment in the cron job. # Ideally, we would run: zypper addrepo -t YUM -f \ # "$REPOCONFIG/$DEFAULT_ARCH" "google-chrome" # but that does not work when zypper is running. if [ -d "/etc/zypp/repos.d" ]; then cat > "$ZYPPER_REPO_FILE" << REPOCONTENT [google-chrome] name=google-chrome enabled=1 autorefresh=1 baseurl=$REPOCONFIG/$DEFAULT_ARCH type=rpm-md keeppackages=0 REPOCONTENT fi } # Check if the automatic repository configuration is done, so we know when to # stop trying. verify_install() { # It's probably enough to see that the repo configs have been created. If they # aren't configured properly, update_bad_repo should catch that when it's run. case $1 in "yum") [ -f "$YUM_REPO_FILE" ] ;; "yast") [ -f "$ZYPPER_REPO_FILE" ] ;; "urpmi") urpmq --list-url | grep -q -s "\bgoogle-chrome\b" ;; esac } # Update the Google repository if it's not set correctly. update_bad_repo() { if [ ! "$REPOCONFIG" ]; then return 0 fi determine_rpm_package_manager case $PACKAGEMANAGER in "yum") update_repo_file "$YUM_REPO_FILE" ;; "yast") update_repo_file "$ZYPPER_REPO_FILE" ;; "urpmi") update_urpmi_cfg ;; esac } update_repo_file() { REPO_FILE="$1" # Don't do anything if the file isn't there, since that probably means the # user disabled it. if [ ! -r "$REPO_FILE" ]; then return 0 fi # Check if the correct repository configuration is in there. REPOMATCH=$(grep "^baseurl=$REPOCONFIG/$DEFAULT_ARCH" "$REPO_FILE" \ 2>/dev/null) # If it's there, nothing to do if [ "$REPOMATCH" ]; then return 0 fi # Check if it's there but disabled by commenting out (as opposed to using the # 'enabled' setting). MATCH_DISABLED=$(grep "^[[:space:]]*#.*baseurl=$REPOCONFIG/$DEFAULT_ARCH" \ "$REPO_FILE" 2>/dev/null) if [ "$MATCH_DISABLED" ]; then # It's OK for it to be disabled, as long as nothing bogus is enabled in its # place. ACTIVECONFIGS=$(grep "^baseurl=.*" "$REPO_FILE" 2>/dev/null) if [ ! "$ACTIVECONFIGS" ]; then return 0 fi fi # If we get here, the correct repository wasn't found, or something else is # active, so fix it. This assumes there is a 'baseurl' setting, but if not, # then that's just another way of disabling, so we won't try to add it. sed -i -e "s,^baseurl=.*,baseurl=$REPOCONFIG/$DEFAULT_ARCH," "$REPO_FILE" } update_urpmi_cfg() { REPOCFG=$(urpmq --list-url | grep "\bgoogle-chrome\b") if [ ! "$REPOCFG" ]; then # Don't do anything if the repo isn't there, since that probably means the # user deleted it. return 0 fi # See if it's the right repo URL REPOMATCH=$(echo "$REPOCFG" | grep "\b$REPOCONFIG/$DEFAULT_ARCH\b") # If so, nothing to do if [ "$REPOMATCH" ]; then return 0 fi # Looks like it's the wrong URL, so recreate it. urpmi.removemedia "google-chrome" && \ urpmi.addmedia --update "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } # We only remove the repository configuration during a purge. Since RPM has # no equivalent to dpkg --purge, the code below is actually never used. We # keep it only for reference purposes, should we ever need it. # #remove_yum() { # rm -f "$YUM_REPO_FILE" #} # #remove_urpmi() { # # Ideally, we would run: urpmi.removemedia "google-chrome" # # but that does not work when urpmi is running. # # Sentinel comment text does not work either because urpmi.update removes # # all comments. So we just delete the entry that matches what we originally # # inserted. If such an entry was added manually, that's tough luck. # if [ -f "$URPMI_REPO_FILE" ]; then # sed -i '\_^google-chrome $REPOCONFIG/$DEFAULT_ARCH {$_,/^}$/d' "$URPMI_REPO_FILE" # fi #} # #remove_yast() { # # Ideally, we would run: zypper removerepo "google-chrome" # # but that does not work when zypper is running. # rm -f /etc/zypp/repos.d/google-chrome.repo #} DEFAULT_ARCH="i386" get_lib_dir() { if [ "$DEFAULT_ARCH" = "i386" ]; then LIBDIR=lib elif [ "$DEFAULT_ARCH" = "x86_64" ]; then LIBDIR=lib64 else echo Unknown CPU Architecture: "$DEFAULT_ARCH" exit 1 fi } NSS_FILES="libnspr4.so.0d libplds4.so.0d libplc4.so.0d libssl3.so.1d \ libnss3.so.1d libsmime3.so.1d libnssutil3.so.1d" add_nss_symlinks() { get_lib_dir for f in $NSS_FILES do target=$(echo $f | sed 's/\.[01]d$//') if [ -f "/$LIBDIR/$target" ]; then ln -snf "/$LIBDIR/$target" "/opt/google/chrome-unstable/$f" elif [ -f "/usr/$LIBDIR/$target" ]; then ln -snf "/usr/$LIBDIR/$target" "/opt/google/chrome-unstable/$f" else echo $f not found in "/$LIBDIR/$target" or "/usr/$LIBDIR/$target". exit 1 fi done } remove_nss_symlinks() { for f in $NSS_FILES do rm -rf "/opt/google/chrome-unstable/$f" done } # Fedora 18 now has libudev.so.1. http://crbug.com/145160 # Same for Ubuntu 13.04. http://crbug.com/226002 LIBUDEV_0=libudev.so.0 LIBUDEV_1=libudev.so.1 add_udev_symlinks() { get_lib_dir if [ -f "/$LIBDIR/$LIBUDEV_0" -o -f "/usr/$LIBDIR/$LIBUDEV_0" -o -f "/lib/$LIBUDEV_0" ]; then return 0 fi if [ -f "/$LIBDIR/$LIBUDEV_1" ]; then ln -snf "/$LIBDIR/$LIBUDEV_1" "/opt/google/chrome-unstable/$LIBUDEV_0" elif [ -f "/usr/$LIBDIR/$LIBUDEV_1" ]; then ln -snf "/usr/$LIBDIR/$LIBUDEV_1" "/opt/google/chrome-unstable/$LIBUDEV_0" else echo "$LIBUDEV_1" not found in "$LIBDIR" or "/usr/$LIBDIR". exit 1 fi } remove_udev_symlinks() { rm -rf "/opt/google/chrome-unstable/$LIBUDEV_0" } remove_nss_symlinks add_nss_symlinks remove_udev_symlinks add_udev_symlinks DEFAULTS_FILE="/etc/default/google-chrome" if [ ! -e "$DEFAULTS_FILE" ]; then echo 'repo_add_once="true"' > "$DEFAULTS_FILE" fi . "$DEFAULTS_FILE" if [ "$repo_add_once" = "true" ]; then determine_rpm_package_manager case $PACKAGEMANAGER in "yum") install_yum ;; "urpmi") install_urpmi ;; "yast") install_yast ;; esac fi # Some package managers have locks that prevent everything from being # configured at install time, so wait a bit then kick the cron job to do # whatever is left. Probably the db will be unlocked by then, but if not, the # cron job will keep retrying. # Do this with 'at' instead of a backgrounded shell because zypper waits on all # sub-shells to finish before it finishes, which is exactly the opposite of # what we want here. Also preemptively start atd because for some reason it's # not always running, which kind of defeats the purpose of having 'at' as a # required LSB command. service atd start echo "sh /etc/cron.daily/google-chrome" | at now + 2 minute > /dev/null 2>&1 CHANNEL=unstable case $CHANNEL in stable ) PRIORITY=200 ;; beta ) PRIORITY=150 ;; unstable ) PRIORITY=120 ;; * ) PRIORITY=0 ;; esac /usr/sbin/update-alternatives --install /usr/bin/google-chrome google-chrome \ /usr/bin/google-chrome-unstable $PRIORITY exit 0 #------------------------------------------------------------------------------ # Pre uninstallation script #------------------------------------------------------------------------------ preuninstall scriptlet (using /bin/sh): if [ "$1" -eq "0" ]; then mode="uninstall" elif [ "$1" -eq "1" ]; then mode="upgrade" fi # System-wide package configuration. DEFAULTS_FILE="/etc/default/google-chrome" # sources.list setting for google-chrome updates. REPOCONFIG="http://dl.google.com/linux/chrome/rpm/stable" # Install the repository signing key (see also: # http://www.google.com/linuxrepositories/aboutkey.html) install_rpm_key() { # Check to see if key already exists. rpm -q gpg-pubkey-7fac5991-4615767f > /dev/null 2>&1 if [ "$?" -eq "0" ]; then # Key already exists return 0 fi # This is to work around a bug in RPM 4.7.0. (see http://crbug.com/22312) rpm -q gpg-pubkey-7fac5991-45f06f46 > /dev/null 2>&1 if [ "$?" -eq "0" ]; then # Key already exists return 0 fi # RPM on Mandriva 2009 is dumb and does not understand "rpm --import -" TMPKEY=$(mktemp /tmp/google.sig.XXXXXX) if [ -n "$TMPKEY" ]; then cat > "$TMPKEY" <<KEYDATA -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.2.2 (GNU/Linux) mQGiBEXwb0YRBADQva2NLpYXxgjNkbuP0LnPoEXruGmvi3XMIxjEUFuGNCP4Rj/a kv2E5VixBP1vcQFDRJ+p1puh8NU0XERlhpyZrVMzzS/RdWdyXf7E5S8oqNXsoD1z fvmI+i9b2EhHAA19Kgw7ifV8vMa4tkwslEmcTiwiw8lyUl28Wh4Et8SxzwCggDcA feGqtn3PP5YAdD0km4S4XeMEAJjlrqPoPv2Gf//tfznY2UyS9PUqFCPLHgFLe80u QhI2U5jt6jUKN4fHauvR6z3seSAsh1YyzyZCKxJFEKXCCqnrFSoh4WSJsbFNc4PN b0V0SqiTCkWADZyLT5wll8sWuQ5ylTf3z1ENoHf+G3um3/wk/+xmEHvj9HCTBEXP 78X0A/0Tqlhc2RBnEf+AqxWvM8sk8LzJI/XGjwBvKfXe+l3rnSR2kEAvGzj5Sg0X 4XmfTg4Jl8BNjWyvm2Wmjfet41LPmYJKsux3g0b8yzQxeOA4pQKKAU3Z4+rgzGmf HdwCG5MNT2A5XxD/eDd+L4fRx0HbFkIQoAi1J3YWQSiTk15fw7RMR29vZ2xlLCBJ bmMuIExpbnV4IFBhY2thZ2UgU2lnbmluZyBLZXkgPGxpbnV4LXBhY2thZ2VzLWtl eW1hc3RlckBnb29nbGUuY29tPohjBBMRAgAjAhsDBgsJCAcDAgQVAggDBBYCAwEC HgECF4AFAkYVdn8CGQEACgkQoECDD3+sWZHKSgCfdq3HtNYJLv+XZleb6HN4zOcF AJEAniSFbuv8V5FSHxeRimHx25671az+uQINBEXwb0sQCACuA8HT2nr+FM5y/kzI A51ZcC46KFtIDgjQJ31Q3OrkYP8LbxOpKMRIzvOZrsjOlFmDVqitiVc7qj3lYp6U rgNVaFv6Qu4bo2/ctjNHDDBdv6nufmusJUWq/9TwieepM/cwnXd+HMxu1XBKRVk9 XyAZ9SvfcW4EtxVgysI+XlptKFa5JCqFM3qJllVohMmr7lMwO8+sxTWTXqxsptJo pZeKz+UBEEqPyw7CUIVYGC9ENEtIMFvAvPqnhj1GS96REMpry+5s9WKuLEaclWpd K3krttbDlY1NaeQUCRvBYZ8iAG9YSLHUHMTuI2oea07Rh4dtIAqPwAX8xn36JAYG 2vgLAAMFB/wKqaycjWAZwIe98Yt0qHsdkpmIbarD9fGiA6kfkK/UxjL/k7tmS4Vm CljrrDZkPSQ/19mpdRcGXtb0NI9+nyM5trweTvtPw+HPkDiJlTaiCcx+izg79Fj9 KcofuNb3lPdXZb9tzf5oDnmm/B+4vkeTuEZJ//IFty8cmvCpzvY+DAz1Vo9rA+Zn cpWY1n6z6oSS9AsyT/IFlWWBZZ17SpMHu+h4Bxy62+AbPHKGSujEGQhWq8ZRoJAT G0KSObnmZ7FwFWu1e9XFoUCt0bSjiJWTIyaObMrWu/LvJ3e9I87HseSJStfw6fki 5og9qFEkMrIrBCp3QGuQWBq/rTdMuwNFiEkEGBECAAkFAkXwb0sCGwwACgkQoECD D3+sWZF/WACfeNAu1/1hwZtUo1bR+MWiCjpvHtwAnA1R3IHqFLQ2X3xJ40XPuAyY /FJG =Quqp -----END PGP PUBLIC KEY BLOCK----- KEYDATA rpm --import "$TMPKEY" rc=$? rm -f "$TMPKEY" if [ "$rc" -eq "0" ]; then return 0 fi fi return 1 } determine_rpm_package_manager() { local RELEASE LSB_RELEASE="$(which lsb_release 2> /dev/null)" if [ -x "$LSB_RELEASE" ]; then RELEASE=$(lsb_release -i 2> /dev/null | sed 's/:\t/:/' | cut -d ':' -f 2-) case $RELEASE in "Fedora") PACKAGEMANAGER=yum ;; "Mageia"|"MandrivaLinux") PACKAGEMANAGER=urpmi ;; "SUSE LINUX") PACKAGEMANAGER=yast ;; esac fi if [ "$PACKAGEMANAGER" ]; then return fi # Fallback methods that are probably unnecessary on modern systems. if [ -f "/etc/lsb-release" ]; then # file missing on Fedora, does not contain DISTRIB_ID on OpenSUSE. eval $(sed -e '/DISTRIB_ID/!d' /etc/lsb-release) case $DISTRIB_ID in MandrivaLinux) PACKAGEMANAGER=urpmi ;; esac fi if [ "$PACKAGEMANAGER" ]; then return fi if [ -f "/etc/fedora-release" ] || [ -f "/etc/redhat-release" ]; then PACKAGEMANAGER=yum elif [ -f "/etc/SuSE-release" ]; then PACKAGEMANAGER=yast elif [ -f "/etc/mandriva-release" ]; then PACKAGEMANAGER=urpmi fi } DEFAULT_ARCH="i386" YUM_REPO_FILE="/etc/yum.repos.d/google-chrome.repo" ZYPPER_REPO_FILE="/etc/zypp/repos.d/google-chrome.repo" URPMI_REPO_FILE="/etc/urpmi/urpmi.cfg" install_yum() { install_rpm_key if [ ! "$REPOCONFIG" ]; then return 0 fi if [ -d "/etc/yum.repos.d" ]; then cat > "$YUM_REPO_FILE" << REPOCONTENT [google-chrome] name=google-chrome baseurl=$REPOCONFIG/$DEFAULT_ARCH enabled=1 gpgcheck=1 REPOCONTENT fi } # This is called by the cron job, rather than in the RPM postinstall. # We cannot do this during the install when urpmi is running due to # database locking. We also need to enable the repository, and we can # only do that while we are online. # see: https://qa.mandriva.com/show_bug.cgi?id=31893 configure_urpmi() { if [ ! "$REPOCONFIG" ]; then return 0 fi urpmq --list-media | grep -q -s "^google-chrome$" if [ "$?" -eq "0" ]; then # Repository already configured return 0 fi urpmi.addmedia --update \ "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } install_urpmi() { # urpmi not smart enough to pull media_info/pubkey from the repository? install_rpm_key # Defer urpmi.addmedia to configure_urpmi() in the cron job. # See comment there. # # urpmi.addmedia --update \ # "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } install_yast() { if [ ! "$REPOCONFIG" ]; then return 0 fi # We defer adding the key to later. See comment in the cron job. # Ideally, we would run: zypper addrepo -t YUM -f \ # "$REPOCONFIG/$DEFAULT_ARCH" "google-chrome" # but that does not work when zypper is running. if [ -d "/etc/zypp/repos.d" ]; then cat > "$ZYPPER_REPO_FILE" << REPOCONTENT [google-chrome] name=google-chrome enabled=1 autorefresh=1 baseurl=$REPOCONFIG/$DEFAULT_ARCH type=rpm-md keeppackages=0 REPOCONTENT fi } # Check if the automatic repository configuration is done, so we know when to # stop trying. verify_install() { # It's probably enough to see that the repo configs have been created. If they # aren't configured properly, update_bad_repo should catch that when it's run. case $1 in "yum") [ -f "$YUM_REPO_FILE" ] ;; "yast") [ -f "$ZYPPER_REPO_FILE" ] ;; "urpmi") urpmq --list-url | grep -q -s "\bgoogle-chrome\b" ;; esac } # Update the Google repository if it's not set correctly. update_bad_repo() { if [ ! "$REPOCONFIG" ]; then return 0 fi determine_rpm_package_manager case $PACKAGEMANAGER in "yum") update_repo_file "$YUM_REPO_FILE" ;; "yast") update_repo_file "$ZYPPER_REPO_FILE" ;; "urpmi") update_urpmi_cfg ;; esac } update_repo_file() { REPO_FILE="$1" # Don't do anything if the file isn't there, since that probably means the # user disabled it. if [ ! -r "$REPO_FILE" ]; then return 0 fi # Check if the correct repository configuration is in there. REPOMATCH=$(grep "^baseurl=$REPOCONFIG/$DEFAULT_ARCH" "$REPO_FILE" \ 2>/dev/null) # If it's there, nothing to do if [ "$REPOMATCH" ]; then return 0 fi # Check if it's there but disabled by commenting out (as opposed to using the # 'enabled' setting). MATCH_DISABLED=$(grep "^[[:space:]]*#.*baseurl=$REPOCONFIG/$DEFAULT_ARCH" \ "$REPO_FILE" 2>/dev/null) if [ "$MATCH_DISABLED" ]; then # It's OK for it to be disabled, as long as nothing bogus is enabled in its # place. ACTIVECONFIGS=$(grep "^baseurl=.*" "$REPO_FILE" 2>/dev/null) if [ ! "$ACTIVECONFIGS" ]; then return 0 fi fi # If we get here, the correct repository wasn't found, or something else is # active, so fix it. This assumes there is a 'baseurl' setting, but if not, # then that's just another way of disabling, so we won't try to add it. sed -i -e "s,^baseurl=.*,baseurl=$REPOCONFIG/$DEFAULT_ARCH," "$REPO_FILE" } update_urpmi_cfg() { REPOCFG=$(urpmq --list-url | grep "\bgoogle-chrome\b") if [ ! "$REPOCFG" ]; then # Don't do anything if the repo isn't there, since that probably means the # user deleted it. return 0 fi # See if it's the right repo URL REPOMATCH=$(echo "$REPOCFG" | grep "\b$REPOCONFIG/$DEFAULT_ARCH\b") # If so, nothing to do if [ "$REPOMATCH" ]; then return 0 fi # Looks like it's the wrong URL, so recreate it. urpmi.removemedia "google-chrome" && \ urpmi.addmedia --update "google-chrome" "$REPOCONFIG/$DEFAULT_ARCH" } # We only remove the repository configuration during a purge. Since RPM has # no equivalent to dpkg --purge, the code below is actually never used. We # keep it only for reference purposes, should we ever need it. # #remove_yum() { # rm -f "$YUM_REPO_FILE" #} # #remove_urpmi() { # # Ideally, we would run: urpmi.removemedia "google-chrome" # # but that does not work when urpmi is running. # # Sentinel comment text does not work either because urpmi.update removes # # all comments. So we just delete the entry that matches what we originally # # inserted. If such an entry was added manually, that's tough luck. # if [ -f "$URPMI_REPO_FILE" ]; then # sed -i '\_^google-chrome $REPOCONFIG/$DEFAULT_ARCH {$_,/^}$/d' "$URPMI_REPO_FILE" # fi #} # #remove_yast() { # # Ideally, we would run: zypper removerepo "google-chrome" # # but that does not work when zypper is running. # rm -f /etc/zypp/repos.d/google-chrome.repo #} DEFAULT_ARCH="i386" get_lib_dir() { if [ "$DEFAULT_ARCH" = "i386" ]; then LIBDIR=lib elif [ "$DEFAULT_ARCH" = "x86_64" ]; then LIBDIR=lib64 else echo Unknown CPU Architecture: "$DEFAULT_ARCH" exit 1 fi } NSS_FILES="libnspr4.so.0d libplds4.so.0d libplc4.so.0d libssl3.so.1d \ libnss3.so.1d libsmime3.so.1d libnssutil3.so.1d" add_nss_symlinks() { get_lib_dir for f in $NSS_FILES do target=$(echo $f | sed 's/\.[01]d$//') if [ -f "/$LIBDIR/$target" ]; then ln -snf "/$LIBDIR/$target" "/opt/google/chrome-unstable/$f" elif [ -f "/usr/$LIBDIR/$target" ]; then ln -snf "/usr/$LIBDIR/$target" "/opt/google/chrome-unstable/$f" else echo $f not found in "/$LIBDIR/$target" or "/usr/$LIBDIR/$target". exit 1 fi done } remove_nss_symlinks() { for f in $NSS_FILES do rm -rf "/opt/google/chrome-unstable/$f" done } # Fedora 18 now has libudev.so.1. http://crbug.com/145160 # Same for Ubuntu 13.04. http://crbug.com/226002 LIBUDEV_0=libudev.so.0 LIBUDEV_1=libudev.so.1 add_udev_symlinks() { get_lib_dir if [ -f "/$LIBDIR/$LIBUDEV_0" -o -f "/usr/$LIBDIR/$LIBUDEV_0" -o -f "/lib/$LIBUDEV_0" ]; then return 0 fi if [ -f "/$LIBDIR/$LIBUDEV_1" ]; then ln -snf "/$LIBDIR/$LIBUDEV_1" "/opt/google/chrome-unstable/$LIBUDEV_0" elif [ -f "/usr/$LIBDIR/$LIBUDEV_1" ]; then ln -snf "/usr/$LIBDIR/$LIBUDEV_1" "/opt/google/chrome-unstable/$LIBUDEV_0" else echo "$LIBUDEV_1" not found in "$LIBDIR" or "/usr/$LIBDIR". exit 1 fi } remove_udev_symlinks() { rm -rf "/opt/google/chrome-unstable/$LIBUDEV_0" } # Only remove menu items and symlinks on uninstall. When upgrading, # old_pkg's %preun runs after new_pkg's %post. if [ "$mode" = "uninstall" ]; then # Remove icons from the system icons XDG_ICON_RESOURCE="`which xdg-icon-resource 2> /dev/null || true`" if [ ! -x "$XDG_ICON_RESOURCE" ]; then echo "Error: Could not find xdg-icon-resource" >&2 exit 1 fi for icon in "/opt/google/chrome-unstable/product_logo_"*.png; do size="${icon##*/product_logo_}" "$XDG_ICON_RESOURCE" uninstall --size "${size%.png}" "google-chrome" done UPDATE_MENUS="`which update-menus 2> /dev/null || true`" if [ -x "$UPDATE_MENUS" ]; then update-menus fi # Update cache of .desktop file MIME types. Non-fatal since it's just a cache. update-desktop-database > /dev/null 2>&1 || true remove_nss_symlinks remove_udev_symlinks /usr/sbin/update-alternatives --remove google-chrome \ /usr/bin/google-chrome-unstable fi # On Debian we only remove when we purge. However, RPM has no equivalent to # dpkg --purge, so this is all disabled. # #determine_rpm_package_manager # #case $PACKAGEMANAGER in #"yum") # remove_yum # ;; #"urpmi") # remove_urpmi # ;; #"yast") # remove_yast # ;; #esac exit 0 #------------------------------------------------------------------------------ # Post uninstallation script #------------------------------------------------------------------------------ postuninstall scriptlet (using /bin/sh): exit 0
As you can see install script not executing esmtp. It occurs not during install process it occurs when browser running first time after install or update.
I suspect this line is causing the email to be sent: echo "sh /etc/cron.daily/google-chrome" | at now + 2 minute > /dev/null 2>&1 so this bug appears to be duplicate of the other two bugs.. https://bugzilla.redhat.com/show_bug.cgi?id=1140493 and https://bugzilla.redhat.com/show_bug.cgi?id=1046468
*** Bug 1155277 has been marked as a duplicate of this bug. ***
Description of problem: Occurs after google chrome install/update Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.2-300.fc21.i686 type: libreport
Description of problem: Occurs after each Google Chrome update Version-Release number of selected component: selinux-policy-3.13.1-92.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-301.fc21.x86_64+debug type: libreport
Description of problem: Was alerted by an SELinux Troubleshooter alert. Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.6-300.fc21.x86_64 type: libreport
Description of problem: cause by Google Chrome installer Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.4-302.fc21.i686+PAE type: libreport
Description of problem: It happens without notice, whether i'm surfing the web, searching stuff, or editing files. And the email client is normally not running when it happens. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.7-300.fc21.x86_64 type: libreport
Description of problem: This has been happening since installing Fedora 21 on my laptop the Directory XW3uQaWr does change on a regular basis of course. It looks like it may occur each time I boot: Jan 14 21:00:02 acer systemd[10336]: Startup finished in 37ms. -- Subject: System start-up is now complete -- Defined-By: systemd {cut}... Jan 14 21:00:02 acer CROND[10341]: (root) CMD (/usr/share/clamav/freshclam-sleep) Jan 14 21:00:12 acer dbus[891]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 14 21:00:13 acer dbus[891]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 14 21:00:15 acer setroubleshoot[10435]: SELinux is preventing esmtp from read access on the file /.esmtp_queue/B8BYjRsj/mail. each message received previousely is then listed before I start up. Version-Release number of selected component: selinux-policy-3.13.1-103.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.17.8-300.fc21.x86_64 type: libreport
Description of problem: There is no "explaination". Filling this in because it is required. Got a notification while "using" my desktop. Browsing the web, terminal open, VirtualBox running and a CentOS 6 virtual machine running. Version-Release number of selected component: selinux-policy-3.13.1-105.13.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.19.4-200.fc21.x86_64 type: libreport
*** Bug 1233227 has been marked as a duplicate of this bug. ***
*** Bug 1234035 has been marked as a duplicate of this bug. ***
*** Bug 1226620 has been marked as a duplicate of this bug. ***
*** Bug 1250091 has been marked as a duplicate of this bug. ***
*** Bug 1234138 has been marked as a duplicate of this bug. ***
*** Bug 1201895 has been marked as a duplicate of this bug. ***
The problem here is that the two locations where the mail_home_rw_t context is applied in selinux are /root/.esmtp_queue and HOME_DIR/.esmtp_queue - however, those locations do not exist. esmtp appears to be putting everything in /.esmtp_queue with no regard to the user or process creating it. The context of ./esmtp_queue is root_t, which denies just about everything but the root user to write to it. One of two things needs to happen - esmtp needs to be fixed to use user directories, or the selinux policy needs to be re-written to handle the "new" location of the esmtp queue. There are multiple reports of this on F21, F22 and F23. They are all being dup'd to this bug.
(In reply to Dan Mossor from comment #25) > The problem here is that the two locations where the mail_home_rw_t context > is applied in selinux are /root/.esmtp_queue and HOME_DIR/.esmtp_queue - > however, those locations do not exist. esmtp appears to be putting > everything in /.esmtp_queue with no regard to the user or process creating > it. The context of ./esmtp_queue is root_t, which denies just about > everything but the root user to write to it. > > One of two things needs to happen - esmtp needs to be fixed to use user > directories, or the selinux policy needs to be re-written to handle the > "new" location of the esmtp queue. esmtp does use user directories - however here it is called in a context where either $HOME is not set or for a demon user where a home dir does not exist. Allowing the use of /.esmtp_queue isn't an option in my opinion either. Mails from multiple demon users would land in this queue and could remain undelivered there forever under certain circumstances. Esmtp was not designed to be a full drop-in replacement for sendmail/postfix. It does local delivery, and this part could be easily fixed to avoid the use of the queues avoiding the trouble. It doesn't do sendmail aliases expansion, wondering if if anyone missed it. For remote delivery to SMTP servers it requires the said queues, and additional cron-jobs for retries (or manual intervention). This works very good for real users but never worked for daemons and cron jobs. Fixing SMTP delivery to work good enough for daemon users and cron jobs is probably not worth the effort. So the only option I see is to fix esmtp local delivery and accept that it can do only local delivery for daemon/cron jobs.
Description of problem: I've been getting a SELinux Alert Browser notice. The only thing I know is it says the source process is esmtp and attempted read access on the following file: /.estmp_queue/ZUj5vEiF/mail. Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.8-200.fc22.x86_64 type: libreport
Description of problem: I get a SELinux Alert browser notice that says esmtp attempted read access on .esmtp_queue/4SCCnCiV/mail Version-Release number of selected component: selinux-policy-3.13.1-128.16.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.8-200.fc22.x86_64 type: libreport
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Description of problem: Do not know how problem occured. Using Chrome as normal. At seemingly random times get 6 SELinux errors with esmtp attempting to use getattr and being denied Version-Release number of selected component: selinux-policy-3.13.1-128.18.fc22.noarch Additional info: reporter: libreport-2.6.3 hashmarkername: setroubleshoot kernel: 4.2.3-200.fc22.x86_64 type: libreport
*** Bug 1276455 has been marked as a duplicate of this bug. ***
To fix this issue for now, please execute # semanage fcontext -a -t mail_home_rw_t "/.esmtp_queue(/.*)?" # restorecon -R -v /.esmtp_queue which will add labeling for /.esmtp_queue directory.
*** Bug 1301372 has been marked as a duplicate of this bug. ***
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
*** Bug 1311261 has been marked as a duplicate of this bug. ***
Description of problem: I was updating my system and browsing the web. SELinux notified me that esmtp tried to access a file (that looks related to esmtp), hence bug report. Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.8-300.fc23.x86_64 type: libreport
Description of problem: 1234 Version-Release number of selected component: selinux-policy-3.13.1-158.9.fc23.noarch selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.4-301.fc23.x86_64 type: libreport
Just got an selinux report regarding esmtp trying to access this /.esmtp directory. IMO this has to get fixed in some way.
The main issue here is that the '.esmtp_queue' directory should not be under '/' but under some home directory. This happens when sendmail doesn't have the $HOME environment variable set, e.g. when running from a cron job. This problem is being resolved in [1]. Marking as duplicate. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1303305 *** This bug has been marked as a duplicate of bug 1303305 ***