Re: exim: SELinux

2009-07-14 Thread Didar Hossain 
On Mon, Jul 13, 2009 at 5:52 PM, David JM Emmettm...@davidjmemmett.co.uk 
wrote:
 Don't mean to be completely rude but doesn't this belong on a support
 forum?

Agree, this does not seem to be related to a system managed by the
Infra team. The fedora-list is the appropriate mailing list for this
thread.

Didar

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: exim: SELinux

2009-07-13 Thread Didar Hossain 
On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote:
 Thomas,
 Thanks for the suggestion.  Unfortunately it did not work.  I'm still
 getting the same error.

 Frank

Is Exim not executing it's job as it is supposed to - as in delivery
of mail is hampered by this error?

I am no SELinux or Exim expert, but, AFAIK the /boot directory is
not supposed to be related to the regular functioning of Exim.

Didar

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: exim: SELinux

2009-07-13 Thread Frank Chiulli 
Didar,
Mail is arriving.  I just get one SELinux message for every mail message.

I agree...exim should not be referencing /boot AFAIK.  But I'm not an expert.

Frank

On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote:
 On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com wrote:
 Thomas,
 Thanks for the suggestion.  Unfortunately it did not work.  I'm still
 getting the same error.

 Frank

 Is Exim not executing it's job as it is supposed to - as in delivery
 of mail is hampered by this error?

 I am no SELinux or Exim expert, but, AFAIK the /boot directory is
 not supposed to be related to the regular functioning of Exim.

 Didar


___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: exim: SELinux

2009-07-13 Thread David JM Emmett 
Don't mean to be completely rude but doesn't this belong on a support
forum?

On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote:
 Didar,
 Mail is arriving.  I just get one SELinux message for every mail message.
 
 I agree...exim should not be referencing /boot AFAIK.  But I'm not an expert.
 
 Frank
 
 On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossaindidar.hoss...@gmail.com wrote:
  On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiullifrankc.fed...@gmail.com 
  wrote:
  Thomas,
  Thanks for the suggestion.  Unfortunately it did not work.  I'm still
  getting the same error.
 
  Frank
 
  Is Exim not executing it's job as it is supposed to - as in delivery
  of mail is hampered by this error?
 
  I am no SELinux or Exim expert, but, AFAIK the /boot directory is
  not supposed to be related to the regular functioning of Exim.
 
  Didar
 
 
 ___
 Fedora-infrastructure-list mailing list
 Fedora-infrastructure-list@redhat.com
 https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: exim: SELinux

2009-07-13 Thread Nigel Metheringham 


On 13 Jul 2009, at 13:17, Frank Chiulli wrote:
Mail is arriving.  I just get one SELinux message for every mail  
message.


I agree...exim should not be referencing /boot AFAIK.  But I'm not  
an expert.



Without having seen the config I can only make wild guesses...

However the wild guess I would make is that exim is doing a check for  
available space in the spool and log directories, and this is  
triggering the SELinux check on the statvfs() call.


It is a wild guess though :-)

Can you make sure that there are no references to boot in the config  
files


Nigel.
--
[ Nigel Metheringham nigel.methering...@intechnology.com ]
[ - Comments in this message are my own and not ITO opinion/policy - ]

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

exim: SELinux

2009-07-12 Thread Frank Chiulli 
This is a recently installed/patched F11 system.  It was a fresh
install to one disk leaving my home directory untouched on another
disk.  Today, I installed exim and removed sendmail via yum at the
command line.  I am using the same exim.conf file that I had used with
F10 after having compared it to the original one.  I am now receiving
the following message when I attempt to retrieve mail from my ISP:
Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim
(exim_t) getattr boot_t. For complete SELinux messages. run sealert
-l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad


sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Summary:

SELinux is preventing exim (exim_t) getattr boot_t.

Detailed Description:

SELinux denied access requested by exim. It is not expected that this access is
required by exim and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextunconfined_u:system_r:exim_t:s0
Target Contextsystem_u:object_r:boot_t:s0
Target Objects/boot [ dir ]
Sourceexim
Source Path   /usr/sbin/exim
Port  Unknown
Host  flinux
Source RPM Packages   exim-4.69-10.fc11
Target RPM Packages   filesystem-2.4.21-1.fc11
Policy RPMselinux-policy-3.6.12-62.fc11
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModeEnforcing
Plugin Name   catchall
Host Name flinux
Platform  Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue
  Jun 16 23:19:53 EDT 2009 i686 athlon
Alert Count   289
First SeenSun Jul 12 14:22:12 2009
Last Seen Sun Jul 12 14:23:53 2009
Local ID  e699bb55-c0dc-4bbf-a57e-3d82d6dadcad
Line Numbers

Raw Audit Messages

node=flinux type=AVC msg=audit(1247433833.210:331): avc:  denied  {
getattr } for  pid=2508 comm=exim path=/boot dev=sda1 ino=2
scontext=unconfined_u:system_r:exim_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir

node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003
syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4
a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93
fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm=exim
exe=/usr/sbin/exim subj=unconfined_u:system_r:exim_t:s0 key=(null)


Any thoughts/suggestions?

Thanks,
Frank

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Re: exim: SELinux

2009-07-12 Thread Thomas Spura 
Am Montag, den 13.07.2009, 00:04 +0200 schrieb Frank Chiulli:
 SELinux is preventing exim (exim_t) getattr boot_t.
 
 Detailed Description:
 
 SELinux denied access requested by exim. It is not expected that this access 
 is
 required by exim and this access may signal an intrusion attempt. It is also
 possible that the specific version or configuration of the application is
 causing it to require additional access.
 Any thoughts/suggestions?

I once had a similar issue, try:

touch /.autorelabel  reboot

-Thomas

___
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list