Bug 564327 - SELinux is preventing fetchmail (fetchmail_t) "read" to sh (bin_t).
Summary: SELinux is preventing fetchmail (fetchmail_t) "read" to sh (bin_t).
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:29e4889809f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-12 12:44 UTC by Jochen Brinkmann
Modified: 2010-02-12 14:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-12 14:50:18 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jochen Brinkmann 2010-02-12 12:44:36 UTC 
Zusammenfassung:

SELinux is preventing fetchmail (fetchmail_t) "read" to sh (bin_t).

Detaillierte Beschreibung:

SELinux denied access requested by fetchmail. It is not expected that this
access is required by fetchmail and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zugriff erlauben:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for sh,

restorecon -v 'sh'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:fetchmail_t:s0
Zielkontext                   system_u:object_r:bin_t:s0
Zielobjekte                   sh [ lnk_file ]
Quelle                        fetchmail
Quellen-Pfad                  /usr/bin/fetchmail
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            fetchmail-6.3.8-8.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-55.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      (removed)
Plattform                     Linux idpc07 2.6.27.21-170.2.56.fc10.x86_64 #1 SMP
                              Mon Mar 23 23:08:10 EDT 2009 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Fr 17 Apr 2009 16:16:04 CEST
Zuletzt gesehen               Fr 17 Apr 2009 16:16:04 CEST
Lokale ID                     8dc5dedd-a168-4f04-ac98-8867c302d180
Zeilennummern                 

Raw-Audit-Meldungen           

node=idpc07 type=AVC msg=audit(1239977764.157:31): avc:  denied  { read } for  pid=5840 comm="fetchmail" name="sh" dev=dm-0 ino=3416067 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

node=idpc07 type=SYSCALL msg=audit(1239977764.157:31): arch=c000003e syscall=59 success=no exit=-13 a0=3e77538b8a a1=7fffe2c6c460 a2=7fffe2c6c6b0 a3=8 items=0 ppid=5839 pid=5840 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fetchmail" exe="/usr/bin/fetchmail" subj=system_u:system_r:fetchmail_t:s0 key=(null)



Hash String generated from  selinux-policy-3.5.13-55.fc10,catchall_file,fetchmail,fetchmail_t,bin_t,lnk_file,read
audit2allow suggests:

#============= fetchmail_t ==============
#!!!! This avc is allowed in the current policy

allow fetchmail_t bin_t:lnk_file read;
Comment 1 Daniel Walsh 2010-02-12 14:50:18 UTC 

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.