Description of problem: See run of /CoreOS/fetchmail/Sanity/smoke: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=86909 With "enforcing 1" (Test-pop3-SEON subtest) fetchmail fails with this mesasge: fetchmail: couldn't time-check the run-control file fetchmail: lstat: /home/fm2/.fetchmailrc: Permission denied No AVC logged. With "enforcing 0" (Test-pop3-SEOFF) fetchmail downloads mail successfully. AVC is logged (Test-pop3-SEOFF/avc), but it is probably another story and will end up as separate bug. I'm not sure what exactly happened when in enforcing mode so I did one more run with dont-audit rules turned off: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=86936&type=single Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-255.el5.noarch How reproducible: always Steps to Reproduce: 1.schedule /CoreOS/fetchmail/Sanity/smoke for RHEL5.3 Actual results: http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=86909 http://rhts.redhat.com/cgi-bin/rhts/jobs.cgi?id=86936 Expected results: PASS of both pop3 and imap parts of the test with selinux in enforcing mode
Please attach the audit log. I do not seem to be allowed to login.
Aw, sorry, I have missed your previous comment, hope you don't mind me reopening this bug. I'll attach the requested file ASAP.
Created attachment 365037 [details] complete audit log from new run
Ales is this test supposed to be the equivalence of a user running fetchmail? If so then we need to run each fetchmail command with runcon -t unconfined_t fetchmail ... Fetchmail being run out of a init process will run as fetchmail_t, fetchmail run as a user will stay in the users domain. So if you run fetchmail as unoconfined_t it will stay as unconfined_t. rhts tests run out of init so by default they run as initrc_t which will transition to fetchmail_t and not be allowed to write to the users home dir.
That's it. Thanks for the tip, Daniel!