Thanks.
Should I still open a bugzilla entry or not? After all I am not using
rawhide, but f21 :)
On 12.01.2015 14:22, Daniel J Walsh wrote:
> I just added
>
> allow fetchmail_t self:key manage_key_perms;
>
> to git in Rawhide. This should fix the problem.
>
> It is always good to open a bugzilla on issues like this.
>
> On 01/11/2015 08:00 AM, Gland Vador wrote:
>> Hi,
>>
>> I am using fetchmail as root to collect emails.
>>
>> fetchmail is launched by systemd through a fetchmail.service (see
>> below)
>>
>> The /etc/fetchmail.conf file contains a list as
>> poll
mail.server.com with
>> interval 1
>> protocol imap port 993
>> username "user" password "pass" is name(a)domain.com
>> ssl
>> keep
>> ;
>>
>> As a result I have the following selinux messages (sealert below):
>>
>> time->Sun Jan 11 13:07:33 2015
>> type=AVC msg=audit(1420978053.531:434): avc: denied { write } for
>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>> ----
>> time->Sun Jan 11 13:07:33 2015
>> type=AVC msg=audit(1420978053.531:435): avc: denied { read } for
>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>> ----
>> time->Sun Jan 11 13:07:33 2015
>> type=AVC msg=audit(1420978053.531:436): avc: denied { view } for
>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>
>> What can I do to have a more useful information to solve this
>> problem? Actually this is the last AVC appearing in my logs and I
>> want to solve it before changing the permissive mode to enforcing.
>>
>> --------------------------------------------------------------------------------
>>
>> [Unit]
>> Description=Mail Retrieval Agent
>> After=network.target
>>
>> [Service]
>> PermissionsStartOnly=true
>> ExecStart=/usr/bin/fetchmail --daemon 600 -f /etc/fetchmail.conf
>> --syslog --nobounce
>> ExecStop=/usr/bin/fetchmail --quit
>> Restart=always
>> Type=simple
>>
>> [Install]
>> WantedBy=multi-user.target
>>
>> --------------------------------------------------------------------------------
>>
>>
>> SELinux is preventing fetchmail from read access on the key Unknown.
>>
>> ***** Plugin catchall (100. confidence) suggests
>> **************************
>>
>> If you believe that fetchmail should be allowed read access on the
>> Unknown key by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
>> # semodule -i mypol.pp
>>
>>
>> Additional Information:
>> Source Context system_u:system_r:fetchmail_t:s0
>> Target Context system_u:system_r:fetchmail_t:s0
>> Target Objects Unknown [ key ]
>> Source fetchmail
>> Source Path fetchmail
>> Port <Unknown>
>> Host <Unknown>
>> Source RPM Packages
>> Target RPM Packages
>> Policy RPM selinux-policy-3.13.1-103.fc21.noarch
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Permissive
>> Host Name
hostname.domain.com
>> Platform Linux
hostname.domain.com
>> 3.17.8-300.fc21.x86_64 #1
>> SMP Thu Jan 8 23:32:49 UTC 2015
>> x86_64 x86_64
>> Alert Count 238
>> First Seen 2015-01-06 09:08:52 CET
>> Last Seen 2015-01-11 13:07:33 CET
>> Local ID 158da9a2-8097-4c28-a055-98bee6b61498
>>
>> Raw Audit Messages
>> type=AVC msg=audit(1420978053.531:435): avc: denied { read } for
>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>
>>
>> Hash: fetchmail,fetchmail_t,fetchmail_t,key,read
>>
>>
>>
>>
>>
>>
>> --
>> selinux mailing list
>> selinux(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux