Bug 1472432 - selinux preventing exim from searching directory net
selinux preventing exim from searching directory net
Status: CLOSED DUPLICATE of bug 1444441
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2017-07-18 13:25 EDT by gyuyjxz5kv
Modified: 2017-07-24 09:24 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-24 08:44:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description gyuyjxz5kv 2017-07-18 13:25:57 EDT
Description of problem:
A lot of entries in /var/log/messages saying
SELinux is preventing /usr/bin/exim from search access on the directory net

sealert gives me 

Raw Audit Messages
type=AVC msg=audit(1500377938.962:1304): avc:  denied  { search } for  pid=14113 comm="exim" name="net" dev="proc" ino=7154 scontext=system_u:system_r:exim_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir

type=SYSCALL msg=audit(1500377938.962:1304): arch=x86_64 syscall=open success=no exit=EACCES a0=7f12c17314b0 a1=80000 a2=1b6 a3=24 items=0 ppid=14109 pid=14113 auid=0 uid=0 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 tty=(none) ses=111 comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0-s0:c0.c1023 key=(null)

I'm pretty sure that the directory exim wants to search is /proc/sys/net.

This happens at times unrelated to any messages sent or received as far as I can see.  It looks likely that the centos7 reports https://bugs.centos.org/view.php?id=13247 and
https://bugs.centos.org/view.php?id=12913 are the same thing, but with different alternative mtas, so the issue is probably not specific to exim, but applies to mtas more generally.

Version-Release number of selected component (if applicable):
selinux-policy.noarch 3.13.1-102.el7_3.16, exim 4.89-1.el7.x86_64 from the exim repository

How reproducible:
It keeps happening

Steps to Reproduce:
1. I don't know how to force it, but it seems to happen roughly hourly, so perhaps it is the byproduct of an hourly cron job.

Actual results:
AVC messages that selinux denies exim permission to search directory net

Expected results:
No AVC messages

Additional info:
Comment 2 Milos Malik 2017-07-19 05:05:21 EDT
I believe this bug is duplicate of BZ#1444441.
Comment 3 David Sommerseth 2017-07-19 16:09:40 EDT
I'm not authorized to view bz#1444441 .... can we get an excerpt or be authorized to view it?  Hard to say if this bz is related or not.
Comment 4 Lukas Vrabec 2017-07-24 08:44:28 EDT

*** This bug has been marked as a duplicate of bug 1444441 ***
Comment 5 Pat Riehecky 2017-07-24 09:24:35 EDT
Any chance watchlist users of this bug can be added to bug 1444441 ?

Note You need to log in before you can comment on or make changes to this bug.