1853389 – fetchmail cannot remove stale /var/spool/mail/.fetchmail.pid file

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1853389 - fetchmail cannot remove stale /var/spool/mail/.fetchmail.pid file

Summary: fetchmail cannot remove stale /var/spool/mail/.fetchmail.pid file

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-02 14:35 UTC by Milos Malik
Modified:	2021-05-18 14:58 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1840880
Environment:
Last Closed:	2021-05-18 14:57:37 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-07-02 14:35:39 UTC

+++ This bug was initially created as a clone of Bug #1840880 +++

Description of problem:

fetchmail is not started at boot if it finds /var/spool/mail/.fetchmail.pid.

May 27 09:36:36 alpha audit[977]: AVC avc:  denied  { unlink } for  pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
May 27 09:36:36 alpha audit[977]: AVC avc:  denied  { write } for  pid=977 comm="fetchmail" name=".fetchmail.pid" dev="dm-0" ino=393547 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
May 27 09:36:36 alpha fetchmail[977]: fetchmail: removing stale lockfile
May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied
May 27 09:36:36 alpha fetchmail[977]: /var/spool/mail/.fetchmail.pid: Permission denied
May 27 09:36:36 alpha systemd[1]: fetchmail.service: Main process exited, code=exited, status=8/n/a
May 27 09:36:36 alpha systemd[1]: fetchmail.service: Failed with result 'exit-code'.
May 27 09:36:36 alpha audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fetchmail comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'


Version-Release number of selected component (if applicable):
fetchmail-6.3.26-19.el8.x86_64
selinux-policy-3.14.3-48.el8.noarch
selinux-policy-targeted-3.14.3-48.el8.noarch

How reproducible:

Whenever /var/spool/mail/.fetchmail.pid is left behind.

--- Additional comment from Milos Malik on 2020-05-28 09:34:13 UTC ---

The .fetchmail.pid file is created with a different context than what is expected by restorecon.

# service fetchmail start
Redirecting to /bin/systemctl start fetchmail.service
# service fetchmail status
Redirecting to /bin/systemctl status fetchmail.service
● fetchmail.service - A remote-mail retrieval utility
     Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1s ago
   Main PID: 18688 (fetchmail)
      Tasks: 1 (limit: 2340)
     Memory: 920.0K
        CPU: 10ms
     CGroup: /system.slice/fetchmail.service
             └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example

May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility.
# find /var/spool/ -name \*pid\*
/var/spool/postfix/pid
/var/spool/postfix/pid/master.pid
/var/spool/mail/.fetchmail.pid
# ls -Z /var/spool/mail/.fetchmail.pid
system_u:object_r:fetchmail_uidl_cache_t:s0 /var/spool/mail/.fetchmail.pid
# matchpathcon /var/spool/mail/.fetchmail.pid
/var/spool/mail/.fetchmail.pid	system_u:object_r:mail_spool_t:s0
# restorecon -Rv /var/spool/mail/
Relabeled /var/spool/mail/.fetchmail.pid from system_u:object_r:fetchmail_uidl_cache_t:s0 to system_u:object_r:mail_spool_t:s0
# service fetchmail status
Redirecting to /bin/systemctl status fetchmail.service
● fetchmail.service - A remote-mail retrieval utility
     Loaded: loaded (/usr/lib/systemd/system/fetchmail.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2020-05-28 05:26:52 EDT; 1min 6s ago
   Main PID: 18688 (fetchmail)
      Tasks: 1 (limit: 2340)
     Memory: 920.0K
        CPU: 10ms
     CGroup: /system.slice/fetchmail.service
             └─18688 /usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example

May 28 05:26:52 ci-vm-10-0-138-45.hosted.upshift.rdu2.redhat.com systemd[1]: Started A remote-mail retrieval utility.
# service fetchmail stop
Redirecting to /bin/systemctl stop fetchmail.service
# ausearch -m avc -i 
----
type=AVC msg=audit(05/28/2020 05:28:01.188:476) : avc:  denied  { unlink } for  pid=18688 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
#

After running the "restorecon -Rv /var/spool/mail" command, which corrects the labels according to file context patterns, the fetchmail service is not able to delete its PID file.

--- Additional comment from Milos Malik on 2020-05-28 09:37:35 UTC ---

If the PID file exists and it is labeled mail_spool_t, then the fetchmail service cannot start again. Following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(05/28/2020 05:35:43.493:486) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/28/2020 05:35:43.493:486) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:35:43.493:486) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:35:43.493:486) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x7f41e5346840 a3=0x1 items=2 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:35:43.493:486) : avc:  denied  { unlink } for  pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(05/28/2020 05:35:43.496:487) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:35:43.496:487) : item=0 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:35:43.496:487) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:35:43.496:487) : arch=x86_64 syscall=truncate success=no exit=EACCES(Permission denied) a0=0x5650cc5751f0 a1=0x0 a2=0x0 a3=0x7f41e5617483 items=1 ppid=1 pid=18819 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:35:43.496:487) : avc:  denied  { write } for  pid=18819 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----

--- Additional comment from Milos Malik on 2020-05-28 09:40:07 UTC ---

The only SELinux denial that appears in permissive mode is:
----
type=PROCTITLE msg=audit(05/28/2020 05:38:59.398:492) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=1 name=/var/spool/mail/.fetchmail.pid inode=1565 dev=fc:01 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(05/28/2020 05:38:59.398:492) : item=0 name=/var/spool/mail/ inode=686 dev=fc:01 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/28/2020 05:38:59.398:492) : cwd=/ 
type=SYSCALL msg=audit(05/28/2020 05:38:59.398:492) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x564c56d871f0 a1=0x0 a2=0x7fed835f9840 a3=0x1 items=2 ppid=1 pid=18859 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(05/28/2020 05:38:59.398:492) : avc:  denied  { unlink } for  pid=18859 comm=fetchmail name=.fetchmail.pid dev="vda1" ino=1565 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=1 
----

--- Additional comment from Milos Malik on 2020-05-28 09:46:19 UTC ---

# matchpathcon /var/spool/
/var/spool	system_u:object_r:var_spool_t:s0
# matchpathcon /var/spool/mail/
/var/spool/mail	system_u:object_r:mail_spool_t:s0
# sesearch -s fetchmail_t -t mail_spool_t -T
type_transition fetchmail_t mail_spool_t:file fetchmail_uidl_cache_t;
# 

It seems that file context pattern for "/var/spool/mail/.fetchmail.pid" is missing:

# semanage fcontext -l | grep fetchmail_uidl_cache_t
/var/lib/fetchmail(/.*)?                           all files          system_u:object_r:fetchmail_uidl_cache_t:s0 
/var/mail/\.fetchmail-UIDL-cache                   regular file       system_u:object_r:fetchmail_uidl_cache_t:s0 
#

Comment 7 Milos Malik 2020-11-12 20:02:06 UTC

The automated TC found following SELinux denials:
----
type=PROCTITLE msg=audit(11/12/2020 12:15:16.059:267) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(11/12/2020 12:15:16.059:267) : item=1 name=/var/spool/mail/.fetchmail.pid inode=33698504 dev=fd:00 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/12/2020 12:15:16.059:267) : item=0 name=/var/spool/mail/ inode=33602346 dev=fd:00 mode=dir,775 ouid=root ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/12/2020 12:15:16.059:267) : cwd=/ 
type=SYSCALL msg=audit(11/12/2020 12:15:16.059:267) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x56493313d3b0 a1=0x23 a2=0x7f681c58b810 a3=0x56493211f198 items=2 ppid=1 pid=31809 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(11/12/2020 12:15:16.059:267) : avc:  denied  { unlink } for  pid=31809 comm=fetchmail name=.fetchmail.pid dev="dm-0" ino=33698504 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(11/12/2020 12:15:16.059:268) : proctitle=/usr/bin/fetchmail -d 300 --fetchmailrc /etc/fetchmailrc.example 
type=PATH msg=audit(11/12/2020 12:15:16.059:268) : item=0 name=/var/spool/mail/.fetchmail.pid inode=33698504 dev=fd:00 mode=file,600 ouid=mail ogid=mail rdev=00:00 obj=system_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/12/2020 12:15:16.059:268) : cwd=/ 
type=SYSCALL msg=audit(11/12/2020 12:15:16.059:268) : arch=x86_64 syscall=truncate success=no exit=EACCES(Permission denied) a0=0x56493313d3b0 a1=0x0 a2=0x7f681c58b810 a3=0x0 items=1 ppid=1 pid=31809 auid=unset uid=mail gid=mail euid=mail suid=mail fsuid=mail egid=mail sgid=mail fsgid=mail tty=(none) ses=unset comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) 
type=AVC msg=audit(11/12/2020 12:15:16.059:268) : avc:  denied  { write } for  pid=31809 comm=fetchmail name=.fetchmail.pid dev="dm-0" ino=33698504 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 
----

Comment 8 Milos Malik 2020-11-12 20:13:49 UTC

Above-mentioned SELinux denials are in fact consequences of this command:

:: [ 12:15:14 ] :: [  BEGIN   ] :: Running 'restorecon -Rv /run /var'
Relabeled /var/spool/mail/.fetchmail.pid from system_u:object_r:fetchmail_uidl_cache_t:s0 to system_u:object_r:mail_spool_t:s0
:: [ 12:15:15 ] :: [   PASS   ] :: Command 'restorecon -Rv /run /var' (Expected 0, got 0)

Comment 11 Zdenek Pytela 2020-11-13 08:52:12 UTC

I've submitted a Fedora PR to correct the previous fix:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/364

Comment 19 errata-xmlrpc 2021-05-18 14:57:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639

Note You need to log in before you can comment on or make changes to this bug.