Bug 2211025 - SELinux denial on every Exim queue run
Summary: SELinux denial on every Exim queue run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 37
Hardware: Unspecified
OS: Linux
low
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-30 10:12 UTC by Tim Landscheidt
Modified: 2023-07-15 01:53 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-37.22-1.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-15 01:53:44 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1720 0 None open Allow exim read network sysctls 2023-05-31 06:55:35 UTC

Description Tim Landscheidt 2023-05-30 10:12:09 UTC 
With exim-4.96-6.fc37.x86_64 and selinux-policy-targeted-37.20-1.fc37.noarch, every Exim queue run, by default scheduled every hour, causes an SELinux denial:

| […]
| type=AVC msg=audit(1685423685.876:788): avc:  denied  { search } for  pid=41331 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1685427285.924:805): avc:  denied  { search } for  pid=42916 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1685430885.945:824): avc:  denied  { search } for  pid=48419 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1685434485.981:854): avc:  denied  { search } for  pid=50792 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
| type=AVC msg=audit(1685438086.027:879): avc:  denied  { search } for  pid=52557 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
| […]

This was also reported in the exim component as bug #2169286.  There is a non-public Red Hat bug #1444441 with apparently the same topic.

(NB: I don't know why Exim demands and if it should be allowed access.)

Reproducible: Always
Comment 1 Fedora Update System 2023-06-29 19:59:50 UTC 
FEDORA-2023-e74ea79879 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e74ea79879
Comment 2 Fedora Update System 2023-06-30 02:05:11 UTC 
FEDORA-2023-e74ea79879 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e74ea79879`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e74ea79879

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2023-07-15 01:53:44 UTC 
FEDORA-2023-e74ea79879 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.