SELinux Exim Problem

Daniel J Walsh dwalsh at redhat.com
Mon Sep 7 10:38:42 UTC 2009


On 09/07/2009 04:34 AM, Didar Hossain wrote:
> On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiulli<frankc.fedora at gmail.com> wrote:
>> On F11 when exim attempts to retrieve mail from my ISP, I get the following:
> 
> How are you pulling the mail from your ISP?
> 
> 
>> Summary:
>> SELinux is preventing exim (exim_t) "getattr" boot_t.
>>
>> Detailed Description:
>> SELinux denied access requested by exim. It is not expected that this
>> access is required by exim and this access may signal an intrusion
>> attempt. It is also possible that the specific version or
>> configuration of the application is causing it to require additional
>> access.
>>
>> Allowing Access:
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable SELinux protection altogether. Disabling SELinux protection is
>> not recommended.  Please file a bug report
>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
>> package.
>>
>> Additional Information:
>> Source Context                system_u:system_r:exim_t:s0
>> Target Context                system_u:object_r:boot_t:s0
>> Target Objects                /boot [ dir ]
>> Source                        exim
>> Source Path                   /usr/sbin/exim
>> Port                          <Unknown>
>> Host                          flinux
>> Source RPM Packages           exim-4.69-10.fc11
>> Target RPM Packages           filesystem-2.4.21-1.fc11
>> Policy RPM                    selinux-policy-3.6.12-80.fc11
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Enforcing
>> Plugin Name                   catchall
>> Host Name                     flinux
>> Platform                      Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1
>>                              SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon
>> Alert Count                   327
>> First Seen                    Sun 12 Jul 2009 05:09:10 PM PDT
>> Last Seen                     Sat 05 Sep 2009 09:05:41 AM PDT
>> Local ID                      c330c7e2-7fd7-45ae-8ebb-8de1def6e145
>> Line Numbers
>>
>> Raw Audit Messages
>> node=flinux type=AVC msg=audit(1252166741.77:28): avc:  denied  {
>> getattr } for  pid=2279 comm="exim" path="/boot" dev=sda1 ino=2
>> scontext=system_u:system_r:exim_t:s0
>> tcontext=system_u:object_r:boot_t:s0 tclass=dir
>>
>> node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=40000003
>> syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0
>> items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93
>> suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
>> comm="exim" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
>> key=(null)
>>
>> =====
>>
>> Other information:
>> RPMs:
>> exim-4.69-10.fc11.i586
>> selinux-policy-3.6.12-80.fc11.noarch
>> selinux-policy-targeted-3.6.12-80.fc11.noarch
>>
>> The mail does get through but I get an SELinux error for each message.
>>
>> I've looked for '/boot' in exim config files but came up empty.
>>
>> I installed F11 but kept my home directory which is on a different disk.
>>
>> Since I have not heard anyone else complaining about this, I figure
>> that it's my configuration.  I just don't know where else to look.
>>
>> Frank
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>
> 
Probably some api that exim is calling is looking at the mounted file systems which is causing it to look at /boot.

I think we can allow this for now.




More information about the users mailing list