Description of problem: # sealert -l 77c2bd19-15e6-48d2-b680-0b838de24b31 /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux belet fetchmail write toegang op sock_file lmtp. ***** Plugin catchall (met 100. vertrouwen) suggereert ******************** Als je denkt dat fetchmail standaard write toegang moet hebben tot de lmtp sock_file. Dan je moet dit melden als een fout. Je kunt een locale tactiek module genereren om deze toegang toe te staan. Doe sta deze toegang nu toe door het uitvoeren van: # ausearch -c 'fetchmail' --raw | audit2allow -M my-fetchmail # semodule -X 300 -i my-fetchmail.pp Aanvullende informatie: Broncontext system_u:system_r:fetchmail_t:s0 Doelcontext system_u:object_r:dovecot_var_run_t:s0 Doelobjecten lmtp [ sock_file ] Bron fetchmail Bronpad fetchmail Poort <Unknown> Host mail-new.kobaltwit.be Bron RPM-pakketten Doel RPM-pakketten Beleid RPM selinux-policy-3.14.3-37.fc30.noarch SELinux aangezet True Beleidstype targeted Afdwingende modus Enforcing Hostnaam mail-new.kobaltwit.be Platform Linux mail-new.kobaltwit.be 5.0.16-300.fc30.x86_64 #1 SMP Tue May 14 19:33:09 UTC 2019 x86_64 x86_64 Aantal waarschuwingen 27 Eerst gezien op 2019-05-30 15:36:53 CEST Laatst gezien op 2019-05-30 18:25:21 CEST Locale ID 77c2bd19-15e6-48d2-b680-0b838de24b31 Onbewerkte auditboodschappen type=AVC msg=audit(1559233521.583:34770): avc: denied { write } for pid=21725 comm="fetchmail" name="lmtp" dev="tmpfs" ino=2268961 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=sock_file permissive=0 Hash: fetchmail,fetchmail_t,dovecot_var_run_t,sock_file,write Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.3-37.fc30.noarch How reproducible: Always if policy is set to enforcing Steps to Reproduce: 1. Configure dovecot with lmtp service 2. Configure fetchmail to use /var/run/dovecot/lmtp socket to deliver mails it fetches from a remote server 3. Let fetchmail fetch mails from the remote server Actual results: Delivery fails due to the above avc Expected results: Mails should properly be delivered in the user's mailbox. Additional info:
Note the local fix suggested by the audit log is not working: # ausearch -c 'fetchmail' --raw | audit2allow -M my-fetchmail Nothing to do So I'm not sure how to work around this atm other than via going into permissive mode ?
Hi, It is possible the audit logs have been rotated. You can create the module this way, having its content under control rather than using audit2allow -M: # cat << EOF > fetchmail-dovecot.te module fetchmail-dovecot 1.0; require { type dovecot_var_run_t; type fetchmail_t; class sock_file write; } #============= fetchmail_t ============== allow fetchmail_t dovecot_var_run_t:sock_file write; EOF # make -f /usr/share/selinux/devel/Makefile fetchmail-dovecot.pp # semodule -i fetchmail-dovecot.pp try the scenario again and check if all denials are gone. Please note selinux-policy-devel package is required to build a custom module.
With the policy from comment 2 in place I now get this one still: # sealert -l 783f2191-d981-4fa5-b871-b3b6b7eea78c /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux belet fetchmail connectto toegang op unix_stream_socket /run/dovecot/lmtp. ***** Plugin catchall_boolean (met 89.3 vertrouwen) suggereert ************ Als je enable cluster mode for daemons. wilt Dan je moet dit aan SELinux doorgeven door het aanzetten van de 'daemons_enable_cluster_mode' boolean. Doe setsebool -P daemons_enable_cluster_mode 1 ***** Plugin catchall (met 11.6 vertrouwen) suggereert ******************** Als je denkt dat fetchmail standaard connectto toegang moet hebben tot de lmtp unix_stream_socket. Dan je moet dit melden als een fout. Je kunt een locale tactiek module genereren om deze toegang toe te staan. Doe sta deze toegang nu toe door het uitvoeren van: # ausearch -c 'fetchmail' --raw | audit2allow -M my-fetchmail # semodule -X 300 -i my-fetchmail.pp Aanvullende informatie: Broncontext system_u:system_r:fetchmail_t:s0 Doelcontext system_u:system_r:dovecot_t:s0 Doelobjecten /run/dovecot/lmtp [ unix_stream_socket ] Bron fetchmail Bronpad fetchmail Poort <Unknown> Host mail-new.kobaltwit.be Bron RPM-pakketten Doel RPM-pakketten Beleid RPM selinux-policy-3.14.3-37.fc30.noarch SELinux aangezet True Beleidstype targeted Afdwingende modus Enforcing Hostnaam mail-new.kobaltwit.be Platform Linux mail-new.kobaltwit.be 5.0.16-300.fc30.x86_64 #1 SMP Tue May 14 19:33:09 UTC 2019 x86_64 x86_64 Aantal waarschuwingen 5 Eerst gezien op 2019-06-02 12:30:22 CEST Laatst gezien op 2019-06-05 16:36:44 CEST Locale ID 783f2191-d981-4fa5-b871-b3b6b7eea78c Onbewerkte auditboodschappen type=AVC msg=audit(1559745404.532:16297): avc: denied { connectto } for pid=343 comm="fetchmail" path="/run/dovecot/lmtp" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket permissive=0 Hash: fetchmail,fetchmail_t,dovecot_t,unix_stream_socket,connectto After doing the suggested audit2allow/semodule dance fetchmail did work. So it looks like there are only two denials to fix.
commit 64d8b199df391a3c91f33c9299e90ac20744d8ad (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Jun 10 13:51:16 2019 +0200 Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569)
FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.