Description of problem: fetchmail is not started at boot if it finds /var/spool/mail/.fetchmail.pid. May 27 09:36:36 alpha audit[977]: AVC avc: denied { unlink } for pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 May 27 09:36:36 alpha audit[977]: AVC avc: denied { write } for pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 May 27 09:36:36 alpha fetchmail[977]: fetchmail: removing stale lockfile May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied May 27 09:36:36 alpha systemd[1]: fetchmail.service: Main process exited, code=exited, status=8/n/a May 27 09:36:36 alpha systemd[1]: fetchmail.service: Failed with result 'exit-code'. May 27 09:36:36 alpha audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fetchmail comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Version-Release number of selected component (if applicable): fetchmail-6.4.1-2.fc32.x86_64 How reproducible: Whenever /var/spool/mail/.fetchmail.pid is left behind. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Thank you for the bug report. I guess that this needs to be fixed in SELinux policy.
The .fetchmail.pid file is created with a different context than what is expected by restorecon. # service fetchmail start Redirecting to /bin/systemctl start fetchmail.service # service fetchmail status Redirecting to /bin/systemctl status fetchmail.service ● fetchmail.service - A remote-mail retrieval utility Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1s ago Main PID: 18688 (fetchmail) Tasks: 1 (limit: 2340) Memory: 920.0K CPU: 10ms CGroup: /system.slice/fetchmail.service └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility. # find /var/spool/ -name \*pid\* /var/spool/postfix/pid /var/spool/postfix/pid/master.pid /var/spool/mail/.fetchmail.pid # ls -Z /var/spool/mail/.fetchmail.pid system_u:object_r:fetchmail_uidl_cache_t:s0 /var/spool/mail/.fetchmail.pid # matchpathcon /var/spool/mail/.fetchmail.pid /var/spool/mail/.fetchmail.pid system_u:object_r:mail_spool_t:s0 # restorecon -Rv /var/spool/mail/ Relabeled /var/spool/mail/.fetchmail.pid from system_u:object_r:fetchmail_uidl_cache_t:s0 to system_u:object_r:mail_spool_t:s0 # service fetchmail status Redirecting to /bin/systemctl status fetchmail.service ● fetchmail.service - A remote-mail retrieval utility Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1min 6s ago Main PID: 18688 (fetchmail) Tasks: 1 (limit: 2340) Memory: 920.0K CPU: 10ms CGroup: /system.slice/fetchmail.service └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility. # service fetchmail stop Redirecting to /bin/systemctl stop fetchmail.service # ausearch -m avc -i ---- type=AVC msg=audit(05/28/2020 05:28:01.188:476) : avc: denied { unlink } for pid=18688 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 # After running the "restorecon -Rv /var/spool/mail" command, which corrects the labels according to file context patterns, the fetchmail service is not able to delete its PID file.
If the PID file exists and it is labeled mail_spool_t, then the fetchmail service cannot start again. Following SELinux denials appear in enforcing mode: ---- type=PROCTITLE msg=audit(05/28/2020 05:35:43.493:486) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/28/2020 05:35:43.493:486) : cwd=/ type=SYSCALL msg=audit(05/28/2020 05:35:43.493:486) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x7f41e5346840 a3=0x1 items=2 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) type=AVC msg=audit(05/28/2020 05:35:43.493:486) : avc: denied { unlink } for pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(05/28/2020 05:35:43.496:487) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example type=PATH msg=audit(05/28/2020 05:35:43.496:487) : item=0 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/28/2020 05:35:43.496:487) : cwd=/ type=SYSCALL msg=audit(05/28/2020 05:35:43.496:487) : arch=x86_64 syscall=truncate success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x0 a3=0x7f41e5617483 items=1 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) type=AVC msg=audit(05/28/2020 05:35:43.496:487) : avc: denied { write } for pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 ----
The only SELinux denial that appears in permissive mode is: ---- type=PROCTITLE msg=audit(05/28/2020 05:38:59.398:492) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/28/2020 05:38:59.398:492) : cwd=/ type=SYSCALL msg=audit(05/28/2020 05:38:59.398:492) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x564c56d871f0 a1=0x0 a2=0x7fed835f9840 a3=0x1 items=2 ppid=1 pid=18859 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) type=AVC msg=audit(05/28/2020 05:38:59.398:492) : avc: denied { unlink } for pid=18859 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1 ----
# matchpathcon /var/spool/ /var/spool system_u:object_r:var_spool_t:s0 # matchpathcon /var/spool/mail/ /var/spool/mail system_u:object_r:mail_spool_t:s0 # sesearch -s fetchmail_t -t mail_spool_t -T type_transition fetchmail_t mail_spool_t:file fetchmail_uidl_cache_t; # It seems that file context pattern for "/var/spool/mail/.fetchmail.pid" is missing: # semanage fcontext -l | grep fetchmail_uidl_cache_t /var/lib/fetchmail(/.*)? all files system_u:object_r:fetchmail_uidl_cache_t:s0 /var/mail/\.fetchmail-UIDL-cache regular file system_u:object_r:fetchmail_uidl_cache_t:s0 #
Good catch, nt.guilde!
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/257
commit 22a72723552b1c4bc6dd42f7f55fd9dd42426c3c (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Tue Jun 2 15:30:17 2020 +0200 Add fetchmail_uidl_cache_t type for /var/mail/.fetchmail.pid Resolves: rhbz#1840880
FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de
FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.