I just added
allow fetchmail_t self:key manage_key_perms;
to git in Rawhide. This should fix the problem.
It is always good to open a bugzilla on issues like this.
On 01/11/2015 08:00 AM, Gland Vador wrote:
> Hi,
>
> I am using fetchmail as root to collect emails.
>
> fetchmail is launched by systemd through a fetchmail.service (see below)
>
> The /etc/fetchmail.conf file contains a list as
> poll mail.server.com with
> interval 1
> protocol imap port 993
> username "user" password "pass" is name@xxxxxxxxxx
> ssl
> keep
> ;
>
> As a result I have the following selinux messages (sealert below):
>
> time->Sun Jan 11 13:07:33 2015
> type=AVC msg=audit(1420978053.531:434): avc: denied { write } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
> ----
> time->Sun Jan 11 13:07:33 2015
> type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
> ----
> time->Sun Jan 11 13:07:33 2015
> type=AVC msg=audit(1420978053.531:436): avc: denied { view } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>
> What can I do to have a more useful information to solve this problem? Actually this is the last AVC appearing in my logs and I want to solve it before changing the permissive mode to enforcing.
>
> --------------------------------------------------------------------------------
> [Unit]
> Description=Mail Retrieval Agent
> After=network.target
>
> [Service]
> PermissionsStartOnly=true
> ExecStart=/usr/bin/fetchmail --daemon 600 -f /etc/fetchmail.conf --syslog --nobounce
> ExecStop=/usr/bin/fetchmail --quit
> Restart=always
> Type=simple
>
> [Install]
> WantedBy=multi-user.target
>
> --------------------------------------------------------------------------------
>
> SELinux is preventing fetchmail from read access on the key Unknown.
>
> ***** Plugin catchall (100. confidence) suggests **************************
>
> If you believe that fetchmail should be allowed read access on the Unknown key by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
>
> Additional Information:
> Source Context system_u:system_r:fetchmail_t:s0
> Target Context system_u:system_r:fetchmail_t:s0
> Target Objects Unknown [ key ]
> Source fetchmail
> Source Path fetchmail
> Port <Unknown>
> Host <Unknown>
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-103.fc21.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Host Name hostname.domain.com
> Platform Linux hostname.domain.com 3.17.8-300.fc21.x86_64 #1
> SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64
> Alert Count 238
> First Seen 2015-01-06 09:08:52 CET
> Last Seen 2015-01-11 13:07:33 CET
> Local ID 158da9a2-8097-4c28-a055-98bee6b61498
>
> Raw Audit Messages
> type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
>
>
> Hash: fetchmail,fetchmail_t,fetchmail_t,key,read
>
>
>
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
