Re: Fetchmail as root

I just added allow fetchmail_t self:key manage_key_perms; to git in Rawhide. This should fix the problem. It is always good to open a bugzilla on issues like this. On 01/11/2015 08:00 AM, Gland Vador wrote: > Hi, > > I am using fetchmail as root to collect emails. > > fetchmail is launched by systemd through a fetchmail.service (see below) > > The /etc/fetchmail.conf file contains a list as > poll mail.server.com with > interval 1 > protocol imap port 993 > username "user" password "pass" is name(a)domain.com > ssl > keep > ; > > As a result I have the following selinux messages (sealert below): > > time->Sun Jan 11 13:07:33 2015 > type=AVC msg=audit(1420978053.531:434): avc: denied { write } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1 > ---- > time->Sun Jan 11 13:07:33 2015 > type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1 > ---- > time->Sun Jan 11 13:07:33 2015 > type=AVC msg=audit(1420978053.531:436): avc: denied { view } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1 > > What can I do to have a more useful information to solve this problem? Actually this is the last AVC appearing in my logs and I want to solve it before changing the permissive mode to enforcing. > > -------------------------------------------------------------------------------- > [Unit] > Description=Mail Retrieval Agent > After=network.target > > [Service] > PermissionsStartOnly=true > ExecStart=/usr/bin/fetchmail --daemon 600 -f /etc/fetchmail.conf --syslog --nobounce > ExecStop=/usr/bin/fetchmail --quit > Restart=always > Type=simple > > [Install] > WantedBy=multi-user.target > > -------------------------------------------------------------------------------- > > SELinux is preventing fetchmail from read access on the key Unknown. > > ***** Plugin catchall (100. confidence) suggests ************************** > > If you believe that fetchmail should be allowed read access on the Unknown key by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol > # semodule -i mypol.pp > > > Additional Information: > Source Context system_u:system_r:fetchmail_t:s0 > Target Context system_u:system_r:fetchmail_t:s0 > Target Objects Unknown [ key ] > Source fetchmail > Source Path fetchmail > Port <Unknown> > Host <Unknown> > Source RPM Packages > Target RPM Packages > Policy RPM selinux-policy-3.13.1-103.fc21.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Permissive > Host Name hostname.domain.com > Platform Linux hostname.domain.com 3.17.8-300.fc21.x86_64 #1 > SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64 > Alert Count 238 > First Seen 2015-01-06 09:08:52 CET > Last Seen 2015-01-11 13:07:33 CET > Local ID 158da9a2-8097-4c28-a055-98bee6b61498 > > Raw Audit Messages > type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1 > > > Hash: fetchmail,fetchmail_t,fetchmail_t,key,read > > > > > > > -- > selinux mailing list > selinux(a)lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > >