Fetchmail as root

Daniel J Walsh dwalsh at redhat.com
Mon Jan 12 16:40:32 UTC 2015 

On 01/12/2015 11:25 AM, Glandvador wrote:
> Thanks.
>
> Should I still open a bugzilla entry or not? After all I am not using
> rawhide, but f21 :)
>
Yes, that way you can get it back ported.

> On 12.01.2015 14:22, Daniel J Walsh wrote:
>> I just added
>>
>> allow fetchmail_t self:key manage_key_perms;
>>
>> to git in Rawhide.  This should fix the problem.
>>
>> It is always good to open a bugzilla on issues like this.
>>
>> On 01/11/2015 08:00 AM, Gland Vador wrote:
>>> Hi,
>>>
>>> I am using fetchmail as root to collect emails.
>>>
>>> fetchmail is launched by systemd through a fetchmail.service (see
>>> below)
>>>
>>> The /etc/fetchmail.conf file contains a list as
>>> poll mail.server.com with
>>>     interval 1
>>>     protocol imap port 993
>>>     username "user" password "pass" is name at domain.com
>>>     ssl
>>>     keep
>>> ;
>>>
>>> As a result I have the following selinux messages (sealert below):
>>>
>>> time->Sun Jan 11 13:07:33 2015
>>> type=AVC msg=audit(1420978053.531:434): avc:  denied  { write } for 
>>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>> ----
>>> time->Sun Jan 11 13:07:33 2015
>>> type=AVC msg=audit(1420978053.531:435): avc:  denied  { read } for 
>>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>> ----
>>> time->Sun Jan 11 13:07:33 2015
>>> type=AVC msg=audit(1420978053.531:436): avc:  denied  { view } for 
>>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>>
>>> What can I do to have a more useful information to solve this
>>> problem? Actually this is the last AVC appearing in my logs and I
>>> want to solve it before changing the permissive mode to enforcing.
>>>
>>> --------------------------------------------------------------------------------
>>>
>>> [Unit]
>>> Description=Mail Retrieval Agent
>>> After=network.target
>>>
>>> [Service]
>>> PermissionsStartOnly=true
>>> ExecStart=/usr/bin/fetchmail --daemon 600 -f /etc/fetchmail.conf
>>> --syslog --nobounce
>>> ExecStop=/usr/bin/fetchmail --quit
>>> Restart=always
>>> Type=simple
>>>
>>> [Install]
>>> WantedBy=multi-user.target
>>>
>>> --------------------------------------------------------------------------------
>>>
>>>
>>> SELinux is preventing fetchmail from read access on the key Unknown.
>>>
>>> *****  Plugin catchall (100. confidence) suggests  
>>> **************************
>>>
>>> If you believe that fetchmail should be allowed read access on the
>>> Unknown key by default.
>>> Then you should report this as a bug.
>>> You can generate a local policy module to allow this access.
>>> Do
>>> allow this access for now by executing:
>>> # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
>>> # semodule -i mypol.pp
>>>
>>>
>>> Additional Information:
>>> Source Context                system_u:system_r:fetchmail_t:s0
>>> Target Context                system_u:system_r:fetchmail_t:s0
>>> Target Objects                Unknown [ key ]
>>> Source                        fetchmail
>>> Source Path                   fetchmail
>>> Port                          <Unknown>
>>> Host                          <Unknown>
>>> Source RPM Packages
>>> Target RPM Packages
>>> Policy RPM                    selinux-policy-3.13.1-103.fc21.noarch
>>> Selinux Enabled               True
>>> Policy Type                   targeted
>>> Enforcing Mode                Permissive
>>> Host Name                     hostname.domain.com
>>> Platform                      Linux hostname.domain.com
>>> 3.17.8-300.fc21.x86_64 #1
>>>                                SMP Thu Jan 8 23:32:49 UTC 2015
>>> x86_64 x86_64
>>> Alert Count                   238
>>> First Seen                    2015-01-06 09:08:52 CET
>>> Last Seen                     2015-01-11 13:07:33 CET
>>> Local ID                      158da9a2-8097-4c28-a055-98bee6b61498
>>>
>>> Raw Audit Messages
>>> type=AVC msg=audit(1420978053.531:435): avc:  denied  { read } for 
>>> pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0
>>> tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>>>
>>>
>>> Hash: fetchmail,fetchmail_t,fetchmail_t,key,read
>>>
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>
> -- 
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

More information about the selinux mailing list