exim: SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Jul 14 12:32:15 UTC 2009 

On 07/13/2009 04:06 PM, Frank Chiulli wrote:
> Here is the original post:
>
> This is a recently installed/patched F11 system.  It was a fresh
> install to one disk leaving my home directory untouched on another
> disk.  Today, I installed exim and removed sendmail via yum at the
> command line.  I am using the same exim.conf file that I had used with
> F10 after having compared it to the original one.  I am now receiving
> the following message when I attempt to retrieve mail from my ISP:
> Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
> (exim_t) "getattr" boot_t. For complete SELinux messages. run sealert
> -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
>
>
> sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
> Summary:
>
> SELinux is preventing exim (exim_t) "getattr" boot_t.
>
> Detailed Description:
>
> SELinux denied access requested by exim. It is not expected that this access is
> required by exim and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                unconfined_u:system_r:exim_t:s0
> Target Context                system_u:object_r:boot_t:s0
> Target Objects                /boot [ dir ]
> Source                        exim
> Source Path                   /usr/sbin/exim
> Port<Unknown>
> Host                          flinux
> Source RPM Packages           exim-4.69-10.fc11
> Target RPM Packages           filesystem-2.4.21-1.fc11
> Policy RPM                    selinux-policy-3.6.12-62.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     flinux
> Platform                      Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
>                               Jun 16 23:19:53 EDT 2009 i686 athlon
> Alert Count                   289
> First Seen                    Sun Jul 12 14:22:12 2009
> Last Seen                     Sun Jul 12 14:23:53 2009
> Local ID                      e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
> Line Numbers
>
> Raw Audit Messages
>
> node=flinux type=AVC msg=audit(1247433833.210:331): avc:  denied  {
> getattr } for  pid=2508 comm="exim" path="/boot" dev=sda1 ino=2
> scontext=unconfined_u:system_r:exim_t:s0
> tcontext=system_u:object_r:boot_t:s0 tclass=dir
>
> node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=40000003
> syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
> a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
> fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim"
> exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null)
>
> Frank
>
> On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>> On 07/13/2009 08:24 AM, Frank Chiulli wrote:
>>> I realized that just before I received your email and did post to
>>> fedora-list.  My mistake and thanks for the heads up.
>>>
>>> Frank
>>>
>>> On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett<me at davidjmemmett.co.uk>  wrote:
>>>> Don't mean to be completely rude but doesn't this belong on a support
>>>> forum?
>>>>
>>>> On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
>>>>> Didar,
>>>>> Mail is arriving.  I just get one SELinux message for every mail message.
>>>>>
>>>>> I agree...exim should not be referencing /boot AFAIK.  But I'm not an expert.
>>>>>
>>>>> Frank
>>>>>
>>>>> On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain<didar.hossain at gmail.com>  wrote:
>>>>>> On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli<frankc.fedora at gmail.com>  wrote:
>>>>>>> Thomas,
>>>>>>> Thanks for the suggestion.  Unfortunately it did not work.  I'm still
>>>>>>> getting the same error.
>>>>>>>
>>>>>>> Frank
>>>>>> Is Exim not executing it's job as it is supposed to - as in delivery
>>>>>> of mail is hampered by this error?
>>>>>>
>>>>>> I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is
>>>>>> not supposed to be related to the regular functioning of Exim.
>>>>>>
>>>>>> Didar
>>>>>>
>>>>> _______________________________________________
>>>>> Fedora-infrastructure-list mailing list
>>>>> Fedora-infrastructure-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>> I am missing the first email in this chain.  What AVC are you seeing from exim when mail arrives?
>>
I think these usually happen when the user is listing /
ls -lZ /

Could cause this type of AVC.

Of if the confined application was started when it's Current Working 
Directory was the /boot directory.

More information about the fedora-list mailing list