Bug 989704 - SELinux is preventing /usr/bin/fetchmail from 'read' accesses on the file /etc/hosts.
SELinux is preventing /usr/bin/fetchmail from 'read' accesses on the file /et...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:fea0c53fdf286e9cb13d93b1862...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-29 14:24 EDT by W Agtail
Modified: 2013-09-09 08:05 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-09 08:05:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W Agtail 2013-07-29 14:24:18 EDT
Description of problem:
By startiing fetchmail via NetworkManager Dispatcher

SELinux is preventing /usr/bin/fetchmail from read access on the file /etc/hosts. For complete SELinux messages. run sealert -l 1588f1d8-b387-486e-9efe-2895a1be9364

SELinux is preventing /usr/bin/fetchmail from read access on the file /etc/resolv.conf. For complete SELinux messages. run sealert -l 1588f1d8-b387-486e-9efe-2895a1be9364

SELinux is preventing /usr/bin/fetchmail from create access on the netlink_route_socket . For complete SELinux messages. run sealert -l 078b160c-532e-4ec6-a836-f1ed15673709


SELinux is preventing /usr/bin/fetchmail from read access on the file /etc/hosts.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fetchmail should be allowed read access on the hosts file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                /etc/hosts [ file ]
Source                        fetchmail
Source Path                   /usr/bin/fetchmail
Port                          <Unknown>
Host                          removed
Source RPM Packages           fetchmail-6.3.24-3.fc19.x86_64
Target RPM Packages           setup-2.8.71-1.fc19.noarch
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     removed
Platform                      Linux removed 3.10.3-300.fc19.x86_64 #1 SMP
                              Fri Jul 26 00:00:58 UTC 2013 x86_64 x86_64
Alert Count                   14
First Seen                    2013-07-29 18:40:44 BST
Last Seen                     2013-07-29 19:05:15 BST
Local ID                      1588f1d8-b387-486e-9efe-2895a1be9364

Raw Audit Messages
type=AVC msg=audit(1375121115.573:977): avc:  denied  { read } for  pid=3460 comm="fetchmail" name="hosts" dev="md3" ino=2408 scontext=unconfined_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1375121115.573:977): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3a7c9813f6 a1=80000 a2=1b6 a3=2 items=0 ppid=1 pid=3460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=fetchmail exe=/usr/bin/fetchmail subj=unconfined_u:system_r:fetchmail_t:s0 key=(null)

Hash: fetchmail,fetchmail_t,net_conf_t,file,read


SELinux is preventing /usr/bin/fetchmail from create access on the netlink_route_socket .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fetchmail should be allowed create access on the  netlink_route_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:fetchmail_t:s0
Target Context                unconfined_u:system_r:fetchmail_t:s0
Target Objects                 [ netlink_route_socket ]
Source                        fetchmail
Source Path                   /usr/bin/fetchmail
Port                          <Unknown>
Host                          removed
Source RPM Packages           fetchmail-6.3.24-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     removed
Platform                      Linux removed 3.10.3-300.fc19.x86_64 #1 SMP
                              Fri Jul 26 00:00:58 UTC 2013 x86_64 x86_64
Alert Count                   12
First Seen                    2013-07-29 18:40:44 BST
Last Seen                     2013-07-29 19:05:15 BST
Local ID                      078b160c-532e-4ec6-a836-f1ed15673709

Raw Audit Messages
type=AVC msg=audit(1375121115.573:976): avc:  denied  { create } for  pid=3460 comm="fetchmail" scontext=unconfined_u:system_r:fetchmail_t:s0 tcontext=unconfined_u:system_r:fetchmail_t:s0 tclass=netlink_route_socket


type=SYSCALL msg=audit(1375121115.573:976): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=0 a3=3867b39730 items=0 ppid=1 pid=3460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=fetchmail exe=/usr/bin/fetchmail subj=unconfined_u:system_r:fetchmail_t:s0 key=(null)

Hash: fetchmail,fetchmail_t,fetchmail_t,netlink_route_socket,create
SELinux is preventing /usr/bin/fetchmail from 'read' accesses on the file /etc/hosts.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fetchmail should be allowed read access on the hosts file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:net_conf_t:s0
Target Objects                /etc/hosts [ file ]
Source                        fetchmail
Source Path                   /usr/bin/fetchmail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           fetchmail-6.3.24-3.fc19.x86_64
Target RPM Packages           setup-2.8.71-1.fc19.noarch
Policy RPM                    selinux-policy-3.12.1-66.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.3-300.fc19.x86_64 #1 SMP Fri
                              Jul 26 00:00:58 UTC 2013 x86_64 x86_64
Alert Count                   14
First Seen                    2013-07-29 18:40:44 BST
Last Seen                     2013-07-29 19:05:15 BST
Local ID                      1588f1d8-b387-486e-9efe-2895a1be9364

Raw Audit Messages
type=AVC msg=audit(1375121115.573:977): avc:  denied  { read } for  pid=3460 comm="fetchmail" name="hosts" dev="md3" ino=2408 scontext=unconfined_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1375121115.573:977): arch=x86_64 syscall=open success=no exit=EACCES a0=7f3a7c9813f6 a1=80000 a2=1b6 a3=2 items=0 ppid=1 pid=3460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=fetchmail exe=/usr/bin/fetchmail subj=unconfined_u:system_r:fetchmail_t:s0 key=(null)

Hash: fetchmail,fetchmail_t,net_conf_t,file,read

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.10.3-300.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-07-29 15:06:43 EDT
fac1c9a99eb29ccb366332105082471b6de83065 fixes this in git.
Comment 2 Fedora Update System 2013-08-02 09:29:33 EDT
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Comment 3 Fedora Update System 2013-08-02 17:55:03 EDT
Package selinux-policy-3.12.1-69.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19
then log in and leave karma (feedback).
Comment 4 W Agtail 2013-08-03 14:01:33 EDT
many thanks, issue has now been resolved with selinux-policy-3.12.1-69.fc19
Comment 5 W Agtail 2013-08-03 14:41:41 EDT
fetchmail now has the following selinux issue:
19:25:51 owl setroubleshoot: SELinux is preventing /usr/bin/fetchmail from using the setuid capability. For complete SELinux messages. run sealert -l e8129629-0177-4690-8cee-bfd7e4764603


SELinux is preventing /usr/bin/fetchmail from using the setuid capability.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fetchmail should have the setuid capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:system_r:fetchmail_t:s0
Target Objects                 [ capability ]
Source                        fetchmail
Source Path                   /usr/bin/fetchmail
Port                          <Unknown>
Host                          tux19
Source RPM Packages           fetchmail-6.3.24-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-69.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.4-300.fc19.x86_64 #1 SMP
                              Tue Jul 30 11:29:05 UTC 2013 x86_64 x86_64
Alert Count                   9
First Seen                    2013-08-03 18:37:13 BST
Last Seen                     2013-08-03 19:25:50 BST
Local ID                      e8129629-0177-4690-8cee-bfd7e4764603

Raw Audit Messages
type=AVC msg=audit(1375554350.975:335): avc:  denied  { setuid } for  pid=4576 comm="fetchmail" capability=7  scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=capability


type=SYSCALL msg=audit(1375554350.975:335): arch=x86_64 syscall=setresuid success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=386801b2e0 items=0 ppid=1 pid=4576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: fetchmail,fetchmail_t,fetchmail_t,capability,setuid
Comment 6 Fedora Update System 2013-08-04 19:00:01 EDT
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 W Agtail 2013-08-06 08:54:13 EDT
Re: comment 5, selinux is still preventing fetchmail from running.
Comment 8 Daniel Walsh 2013-08-07 13:36:22 EDT
After investigating fetchmail actually needs setuid.

e1d55075a9ca6be7577125648d41dd198070ad0a fixes this in git.
Comment 9 Miroslav Grepl 2013-08-08 08:14:11 EDT
back ported.
Comment 10 Fedora Update System 2013-08-20 04:25:26 EDT
selinux-policy-3.12.1-71.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-71.fc19
Comment 11 Fedora Update System 2013-08-20 20:14:36 EDT
Package selinux-policy-3.12.1-71.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-71.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15088/selinux-policy-3.12.1-71.fc19
then log in and leave karma (feedback).
Comment 12 W Agtail 2013-08-21 10:19:30 EDT
fetchmail is now unable to create: /var/run/fetchmail.pid


SELinux is preventing /usr/bin/fetchmail from create access on the file fetchmail.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fetchmail should be allowed create access on the fetchmail.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                fetchmail.pid [ file ]
Source                        fetchmail
Source Path                   /usr/bin/fetchmail
Port                          <Unknown>
Host                          tux19
Source RPM Packages           fetchmail-6.3.24-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-71.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.7-200.fc19.x86_64 #1 SMP
                              Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-08-21 15:13:49 BST
Last Seen                     2013-08-21 15:13:49 BST
Local ID                      9ff5cd5e-2384-4d47-97bf-caa40db5dd5d

Raw Audit Messages
type=AVC msg=audit(1377094429.833:202): avc:  denied  { create } for  pid=3380 comm="fetchmail" name="fetchmail.pid" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1377094429.833:202): arch=x86_64 syscall=open success=no exit=EACCES a0=1101cb0 a1=c1 a2=1b6 a3=8 items=0 ppid=1 pid=3380 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=fetchmail exe=/usr/bin/fetchmail subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: fetchmail,fetchmail_t,var_run_t,file,create
Comment 13 Fedora Update System 2013-08-21 20:52:10 EDT
selinux-policy-3.12.1-71.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 W Agtail 2013-08-22 10:23:51 EDT
re: comment 12, selinux still prevents fetchmail from starting.
Comment 15 Miroslav Grepl 2013-08-27 09:38:44 EDT
commit 381e3b4cf7083cdd3f7f8197672e9ff2890f06ff
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Aug 27 15:38:23 2013 +0200

    Allow fetchmail to create own pid with correct labeling
Comment 16 Fedora Update System 2013-09-03 15:56:31 EDT
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19
Comment 17 Fedora Update System 2013-09-04 21:37:53 EDT
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19
then log in and leave karma (feedback).
Comment 18 W Agtail 2013-09-07 11:25:32 EDT
Thankyou for the update.
SELinux is now preventing fetchmail/postfix from running with:

SELinux is preventing /usr/bin/bash from execute access on the file /usr/sbin/sendmail.postfix.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed execute access on the sendmail.postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:sendmail_exec_t:s0
Target Objects                /usr/sbin/sendmail.postfix [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          tux19
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           postfix-2.10.1-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.7-200.fc19.x86_64 #1 SMP
                              Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   100
First Seen                    2013-09-07 14:21:43 BST
Last Seen                     2013-09-07 16:19:23 BST
Local ID                      2bc4e48f-925f-4258-a950-10db5f62222f

Raw Audit Messages
type=AVC msg=audit(1378567163.872:943): avc:  denied  { execute } for  pid=16728 comm="sh" name="sendmail.postfix" dev="dm-0" ino=409598 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1378567163.872:943): arch=x86_64 syscall=execve success=no exit=EACCES a0=129b260 a1=129ae80 a2=1299c50 a3=8 items=0 ppid=16676 pid=16728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: sh,fetchmail_t,sendmail_exec_t,file,execute

############################################################################

SELinux is preventing /usr/bin/bash from getattr access on the file /usr/sbin/sendmail.postfix.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the sendmail.postfix file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:fetchmail_t:s0
Target Context                system_u:object_r:sendmail_exec_t:s0
Target Objects                /usr/sbin/sendmail.postfix [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          tux19
Source RPM Packages           bash-4.2.45-1.fc19.x86_64
Target RPM Packages           postfix-2.10.1-1.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     tux19
Platform                      Linux tux19 3.10.7-200.fc19.x86_64 #1 SMP
                              Thu Aug 15 23:19:45 UTC 2013 x86_64 x86_64
Alert Count                   106
First Seen                    2013-09-07 14:21:43 BST
Last Seen                     2013-09-07 16:19:23 BST
Local ID                      3f9e9fd2-cc0f-4b50-84aa-5c98e0ea09de

Raw Audit Messages
type=AVC msg=audit(1378567163.872:945): avc:  denied  { getattr } for  pid=16728 comm="sh" path="/usr/sbin/sendmail.postfix" dev="dm-0" ino=409598 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1378567163.872:945): arch=x86_64 syscall=stat success=no exit=EACCES a0=129b260 a1=7fff16075360 a2=7fff16075360 a3=8 items=0 ppid=16676 pid=16728 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sh exe=/usr/bin/bash subj=system_u:system_r:fetchmail_t:s0 key=(null)

Hash: sh,fetchmail_t,sendmail_exec_t,file,getattr
Comment 19 Fedora Update System 2013-09-07 20:35:54 EDT
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 W Agtail 2013-09-07 21:58:37 EDT
hi, please refer to comment 18, thanks
Comment 21 Daniel Walsh 2013-09-09 07:54:04 EDT
W Agtail, please open a separate bug.
Comment 22 Daniel Walsh 2013-09-09 07:56:59 EDT
Why does fetchmail send email?  Is this a common setup? Should we add a boolean  for this?

Note You need to log in before you can comment on or make changes to this bug.