Re: exim: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/13/2009 04:06 PM, Frank Chiulli wrote:
Here is the original post:

This is a recently installed/patched F11 system.  It was a fresh
install to one disk leaving my home directory untouched on another
disk.  Today, I installed exim and removed sendmail via yum at the
command line.  I am using the same exim.conf file that I had used with
F10 after having compared it to the original one.  I am now receiving
the following message when I attempt to retrieve mail from my ISP:
Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
(exim_t) "getattr" boot_t. For complete SELinux messages. run sealert
-l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad


sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Summary:

SELinux is preventing exim (exim_t) "getattr" boot_t.

Detailed Description:

SELinux denied access requested by exim. It is not expected that this access is
required by exim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:exim_t:s0
Target Context                system_u:object_r:boot_t:s0
Target Objects                /boot [ dir ]
Source                        exim
Source Path                   /usr/sbin/exim
Port<Unknown>
Host                          flinux
Source RPM Packages           exim-4.69-10.fc11
Target RPM Packages           filesystem-2.4.21-1.fc11
Policy RPM                    selinux-policy-3.6.12-62.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     flinux
Platform                      Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
                              Jun 16 23:19:53 EDT 2009 i686 athlon
Alert Count                   289
First Seen                    Sun Jul 12 14:22:12 2009
Last Seen                     Sun Jul 12 14:23:53 2009
Local ID                      e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Line Numbers

Raw Audit Messages

node=flinux type=AVC msg=audit(1247433833.210:331): avc:  denied  {
getattr } for  pid=2508 comm="exim" path="/boot" dev=sda1 ino=2
scontext=unconfined_u:system_r:exim_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=40000003
syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim"
exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null)

Frank

On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh<dwalsh@xxxxxxxxxx>  wrote:
On 07/13/2009 08:24 AM, Frank Chiulli wrote:
I realized that just before I received your email and did post to
fedora-list.  My mistake and thanks for the heads up.

Frank

On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett<me@xxxxxxxxxxxxxxxxxxx>  wrote:
Don't mean to be completely rude but doesn't this belong on a support
forum?

On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
Didar,
Mail is arriving.  I just get one SELinux message for every mail message.

I agree...exim should not be referencing /boot AFAIK.  But I'm not an expert.

Frank

On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain<didar.hossain@xxxxxxxxx>  wrote:
On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli<frankc.fedora@xxxxxxxxx>  wrote:
Thomas,
Thanks for the suggestion.  Unfortunately it did not work.  I'm still
getting the same error.

Frank
Is Exim not executing it's job as it is supposed to - as in delivery
of mail is hampered by this error?

I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is
not supposed to be related to the regular functioning of Exim.

Didar

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
I am missing the first email in this chain.  What AVC are you seeing from exim when mail arrives?

I think these usually happen when the user is listing /
ls -lZ /

Could cause this type of AVC.

Of if the confined application was started when it's Current Working Directory was the /boot directory.


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux