Description of problem: SELinux is preventing /usr/bin/fetchmail from read access on the file /etc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that fetchmail should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fetchmail_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects /etc/passwd [ file ] Source fetchmail Source Path /usr/bin/fetchmail Port <Unknown> Host srv06.kola.fad.ru Source RPM Packages fetchmail-6.3.22-1.fc17.x86_64 Target RPM Packages setup-2.8.48-1.fc17.noarch Policy RPM selinux-policy-3.10.0-159.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name srv06.kola.fad.ru Platform Linux srv06.kola.fad.ru 3.6.5-1.fc17.x86_64 #1 SMP Wed Oct 31 19:37:18 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-11-20 14:25:19 MSK Last Seen 2012-11-20 14:25:19 MSK Local ID 02b5c49a-a787-47e2-898e-944916f02ee9 Raw Audit Messages type=AVC msg=audit(1353407119.962:3771): avc: denied { read } for pid=4604 comm="fetchmail" name="passwd" dev="dm-1" ino=1321893 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1353407119.962:3771): arch=x86_64 syscall=open success=no exit=EACCES a0=7f500cee46ca a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=4604 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null) Hash: fetchmail,fetchmail_t,passwd_file_t,file,read audit2allow #============= fetchmail_t ============== allow fetchmail_t passwd_file_t:file read; audit2allow -R #============= fetchmail_t ============== allow fetchmail_t passwd_file_t:file read; Version-Release number of selected component (if applicable): fetchmail-6.3.22-1.fc17.x86_64 setup-2.8.48-1.fc17.noarch selinux-policy-3.10.0-159.fc17.noarch How reproducible: Always reproducible. Steps to Reproduce: # systemctl start fetchmail.service Actual results: Nov 20 14:25:19 srv06 fetchmail[4604]: fetchmail: You don't exist. Go away. Nov 20 14:25:19 srv06 systemd[1]: fetchmail.service: main process exited, code=exited, status=23 Nov 20 14:25:19 srv06 systemd[1]: Unit fetchmail.service entered failed state. Additional info: # cat /usr/lib/systemd/system/fetchmail.service [Unit] Description=A remote-mail retrieval utility After=network.target postfix.service [Service] PIDFile=/run/fetchmail.pid User=root ExecStart=/usr/bin/fetchmail --fetchmailrc /etc/fetchmail.conf RestartSec=1 [Install] WantedBy=multi-user.target # cat /etc/fetchmail.conf set daemon 60 set logfile /var/log/fetchmail.log set pidfile /run/fetchmail.pid poll "mail.inet-provider.com" with proto POP3 user "user" there with password "qwerty" is "user" here
Added. commit 4a59fefc3ffbc56ce1451a75e901696d8c3c7684 Author: Miroslav Grepl <mgrepl> Date: Tue Nov 20 15:36:21 2012 +0100 fetchmail reads /etc/passwd
selinux-policy-3.10.0-161.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-161.fc17
Package selinux-policy-3.10.0-161.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-161.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18787/selinux-policy-3.10.0-161.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-161.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.