Thanks.
Should I still open a bugzilla entry or not? After all I am not using
rawhide, but f21 :)
On 12.01.2015 14:22, Daniel J Walsh wrote:
I just added
allow fetchmail_t self:key manage_key_perms;
to git in Rawhide. This should fix the problem.
It is always good to open a bugzilla on issues like this.
On 01/11/2015 08:00 AM, Gland Vador wrote:
Hi,
I am using fetchmail as root to collect emails.
fetchmail is launched by systemd through a fetchmail.service (see below)
The /etc/fetchmail.conf file contains a list as
poll mail.server.com with
interval 1
protocol imap port 993
username "user" password "pass" is name@xxxxxxxxxx
ssl
keep
;
As a result I have the following selinux messages (sealert below):
time->Sun Jan 11 13:07:33 2015
type=AVC msg=audit(1420978053.531:434): avc: denied { write } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
----
time->Sun Jan 11 13:07:33 2015
type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
----
time->Sun Jan 11 13:07:33 2015
type=AVC msg=audit(1420978053.531:436): avc: denied { view } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
What can I do to have a more useful information to solve this problem? Actually this is the last AVC appearing in my logs and I want to solve it before changing the permissive mode to enforcing.
--------------------------------------------------------------------------------
[Unit]
Description=Mail Retrieval Agent
After=network.target
[Service]
PermissionsStartOnly=true
ExecStart=/usr/bin/fetchmail --daemon 600 -f /etc/fetchmail.conf --syslog --nobounce
ExecStop=/usr/bin/fetchmail --quit
Restart=always
Type=simple
[Install]
WantedBy=multi-user.target
--------------------------------------------------------------------------------
SELinux is preventing fetchmail from read access on the key Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that fetchmail should be allowed read access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fetchmail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:fetchmail_t:s0
Target Context system_u:system_r:fetchmail_t:s0
Target Objects Unknown [ key ]
Source fetchmail
Source Path fetchmail
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-103.fc21.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name hostname.domain.com
Platform Linux hostname.domain.com 3.17.8-300.fc21.x86_64 #1
SMP Thu Jan 8 23:32:49 UTC 2015 x86_64 x86_64
Alert Count 238
First Seen 2015-01-06 09:08:52 CET
Last Seen 2015-01-11 13:07:33 CET
Local ID 158da9a2-8097-4c28-a055-98bee6b61498
Raw Audit Messages
type=AVC msg=audit(1420978053.531:435): avc: denied { read } for pid=820 comm="fetchmail" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=key permissive=1
Hash: fetchmail,fetchmail_t,fetchmail_t,key,read
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
