On 07/13/2009 04:06 PM, Frank Chiulli wrote:
Here is the original post:
This is a recently installed/patched F11 system. It was a fresh
install to one disk leaving my home directory untouched on another
disk. Today, I installed exim and removed sendmail via yum at the
command line. I am using the same exim.conf file that I had used with
F10 after having compared it to the original one. I am now receiving
the following message when I attempt to retrieve mail from my ISP:
Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
(exim_t) "getattr" boot_t. For complete SELinux messages. run sealert
-l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Summary:
SELinux is preventing exim (exim_t) "getattr" boot_t.
Detailed Description:
SELinux denied access requested by exim. It is not expected that this access is
required by exim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:exim_t:s0
Target Context system_u:object_r:boot_t:s0
Target Objects /boot [ dir ]
Source exim
Source Path /usr/sbin/exim
Port<Unknown>
Host flinux
Source RPM Packages exim-4.69-10.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-62.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name flinux
Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
Jun 16 23:19:53 EDT 2009 i686 athlon
Alert Count 289
First Seen Sun Jul 12 14:22:12 2009
Last Seen Sun Jul 12 14:23:53 2009
Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Line Numbers
Raw Audit Messages
node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied {
getattr } for pid=2508 comm="exim" path="/boot" dev=sda1 ino=2
scontext=unconfined_u:system_r:exim_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=40000003
syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim"
exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null)
Frank
On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote:
On 07/13/2009 08:24 AM, Frank Chiulli wrote:
I realized that just before I received your email and did post to
fedora-list. My mistake and thanks for the heads up.
Frank
On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett<me@xxxxxxxxxxxxxxxxxxx> wrote:
Don't mean to be completely rude but doesn't this belong on a support
forum?
On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
Didar,
Mail is arriving. I just get one SELinux message for every mail message.
I agree...exim should not be referencing /boot AFAIK. But I'm not an expert.
Frank
On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain<didar.hossain@xxxxxxxxx> wrote:
On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli<frankc.fedora@xxxxxxxxx> wrote:
Thomas,
Thanks for the suggestion. Unfortunately it did not work. I'm still
getting the same error.
Frank
Is Exim not executing it's job as it is supposed to - as in delivery
of mail is hampered by this error?
I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is
not supposed to be related to the regular functioning of Exim.
Didar
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives?
I think these usually happen when the user is listing /
ls -lZ /
Could cause this type of AVC.
Of if the confined application was started when it's Current Working
Directory was the /boot directory.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
