On Mon, Sep 7, 2009 at 4:08 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote: > On 09/07/2009 04:34 AM, Didar Hossain wrote: >> On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiulli<frankc.fedora@xxxxxxxxx> wrote: >>> On F11 when exim attempts to retrieve mail from my ISP, I get the following: >> >> How are you pulling the mail from your ISP? >> >> >>> Summary: >>> SELinux is preventing exim (exim_t) "getattr" boot_t. >>> >>> Detailed Description: >>> SELinux denied access requested by exim. It is not expected that this >>> access is required by exim and this access may signal an intrusion >>> attempt. It is also possible that the specific version or >>> configuration of the application is causing it to require additional >>> access. >>> >>> Allowing Access: >>> You can generate a local policy module to allow this access - see FAQ >>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >>> disable SELinux protection altogether. Disabling SELinux protection is >>> not recommended. Please file a bug report >>> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this >>> package. >>> >>> Additional Information: >>> Source Context system_u:system_r:exim_t:s0 >>> Target Context system_u:object_r:boot_t:s0 >>> Target Objects /boot [ dir ] >>> Source exim >>> Source Path /usr/sbin/exim >>> Port <Unknown> >>> Host flinux >>> Source RPM Packages exim-4.69-10.fc11 >>> Target RPM Packages filesystem-2.4.21-1.fc11 >>> Policy RPM selinux-policy-3.6.12-80.fc11 >>> Selinux Enabled True >>> Policy Type targeted >>> MLS Enabled True >>> Enforcing Mode Enforcing >>> Plugin Name catchall >>> Host Name flinux >>> Platform Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1 >>> SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon >>> Alert Count 327 >>> First Seen Sun 12 Jul 2009 05:09:10 PM PDT >>> Last Seen Sat 05 Sep 2009 09:05:41 AM PDT >>> Local ID c330c7e2-7fd7-45ae-8ebb-8de1def6e145 >>> Line Numbers >>> >>> Raw Audit Messages >>> node=flinux type=AVC msg=audit(1252166741.77:28): avc: denied { >>> getattr } for pid=2279 comm="exim" path="/boot" dev=sda1 ino=2 >>> scontext=system_u:system_r:exim_t:s0 >>> tcontext=system_u:object_r:boot_t:s0 tclass=dir >>> >>> node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=40000003 >>> syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0 >>> items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93 >>> suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295 >>> comm="exim" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0 >>> key=(null) >>> >>> ===== >>> >>> Other information: >>> RPMs: >>> exim-4.69-10.fc11.i586 >>> selinux-policy-3.6.12-80.fc11.noarch >>> selinux-policy-targeted-3.6.12-80.fc11.noarch >>> >>> The mail does get through but I get an SELinux error for each message. >>> >>> I've looked for '/boot' in exim config files but came up empty. >>> >>> I installed F11 but kept my home directory which is on a different disk. >>> >>> Since I have not heard anyone else complaining about this, I figure >>> that it's my configuration. I just don't know where else to look. >>> >>> Frank >>> >>> -- >>> fedora-list mailing list >>> fedora-list@xxxxxxxxxx >>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list >>> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines >>> >> > Probably some api that exim is calling is looking at the mounted file systems which is causing it to look at /boot. Do you think we need a Bug filed for this? An MTA doing a "getattr" on /boot seems a little unnecessary to me. > I think we can allow this for now. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
