exim: SELinux
Daniel J Walsh
dwalsh at redhat.com
Tue Jul 14 12:32:15 UTC 2009
On 07/13/2009 04:06 PM, Frank Chiulli wrote:
> Here is the original post:
>
> This is a recently installed/patched F11 system. It was a fresh
> install to one disk leaving my home directory untouched on another
> disk. Today, I installed exim and removed sendmail via yum at the
> command line. I am using the same exim.conf file that I had used with
> F10 after having compared it to the original one. I am now receiving
> the following message when I attempt to retrieve mail from my ISP:
> Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
> (exim_t) "getattr" boot_t. For complete SELinux messages. run sealert
> -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
>
>
> sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
> Summary:
>
> SELinux is preventing exim (exim_t) "getattr" boot_t.
>
> Detailed Description:
>
> SELinux denied access requested by exim. It is not expected that this access is
> required by exim and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:exim_t:s0
> Target Context system_u:object_r:boot_t:s0
> Target Objects /boot [ dir ]
> Source exim
> Source Path /usr/sbin/exim
> Port<Unknown>
> Host flinux
> Source RPM Packages exim-4.69-10.fc11
> Target RPM Packages filesystem-2.4.21-1.fc11
> Policy RPM selinux-policy-3.6.12-62.fc11
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name flinux
> Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
> Jun 16 23:19:53 EDT 2009 i686 athlon
> Alert Count 289
> First Seen Sun Jul 12 14:22:12 2009
> Last Seen Sun Jul 12 14:23:53 2009
> Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
> Line Numbers
>
> Raw Audit Messages
>
> node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied {
> getattr } for pid=2508 comm="exim" path="/boot" dev=sda1 ino=2
> scontext=unconfined_u:system_r:exim_t:s0
> tcontext=system_u:object_r:boot_t:s0 tclass=dir
>
> node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=40000003
> syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
> a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
> fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim"
> exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null)
>
> Frank
>
> On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh<dwalsh at redhat.com> wrote:
>> On 07/13/2009 08:24 AM, Frank Chiulli wrote:
>>> I realized that just before I received your email and did post to
>>> fedora-list. My mistake and thanks for the heads up.
>>>
>>> Frank
>>>
>>> On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett<me at davidjmemmett.co.uk> wrote:
>>>> Don't mean to be completely rude but doesn't this belong on a support
>>>> forum?
>>>>
>>>> On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
>>>>> Didar,
>>>>> Mail is arriving. I just get one SELinux message for every mail message.
>>>>>
>>>>> I agree...exim should not be referencing /boot AFAIK. But I'm not an expert.
>>>>>
>>>>> Frank
>>>>>
>>>>> On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain<didar.hossain at gmail.com> wrote:
>>>>>> On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli<frankc.fedora at gmail.com> wrote:
>>>>>>> Thomas,
>>>>>>> Thanks for the suggestion. Unfortunately it did not work. I'm still
>>>>>>> getting the same error.
>>>>>>>
>>>>>>> Frank
>>>>>> Is Exim not executing it's job as it is supposed to - as in delivery
>>>>>> of mail is hampered by this error?
>>>>>>
>>>>>> I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is
>>>>>> not supposed to be related to the regular functioning of Exim.
>>>>>>
>>>>>> Didar
>>>>>>
>>>>> _______________________________________________
>>>>> Fedora-infrastructure-list mailing list
>>>>> Fedora-infrastructure-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>> I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives?
>>
I think these usually happen when the user is listing /
ls -lZ /
Could cause this type of AVC.
Of if the confined application was started when it's Current Working
Directory was the /boot directory.
More information about the fedora-list
mailing list