Re: exim: SELinux
Sorry for the delay in responding. I've been on the road and unable to access my Fedora box. So after a little grief with SELinux and permissions I have a log file of exim. I'd post it here but it's 724 lines long. I looked for boot in the file but came up empty. Is there some snippet of the file that I could post? Frank On Thu, Jul 16, 2009 at 1:37 AM, Gordon Messmer wrote: > On 07/14/2009 07:33 PM, Frank Chiulli wrote: >> >> Here's what I did: >> - as root, I ran '/etc/init.d/exim stop' >> - as root, I ran 'exim -bd -d"+all">/tmp/ex.file 2>&1' >> >> - as a normal user, I ran 'fetchmail' >> In the past, this would result in an AVC error; but not this time. >> BTW, there was one new message in my mail file as a result of this. > > Sadly, starting exim in that way will not give it the same SELinux context > as it would get when run by the init process. If you stop the service and > "service exim start", it should get its old context, and the AVC messages > should return. That'll get you back to where you can debug the problem. > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/26/2009 05:45 PM, Frank Chiulli wrote: > Sorry for the delay in responding. I've been on the road and unable > to access my Fedora box. So after a little grief with SELinux and > permissions I have a log file of exim. I'd post it here but it's 724 > lines long. I looked for boot in the file but came up empty. Is > there some snippet of the file that I could post? > > Frank > > On Thu, Jul 16, 2009 at 1:37 AM, Gordon Messmer wrote: >> On 07/14/2009 07:33 PM, Frank Chiulli wrote: >>> Here's what I did: >>>- as root, I ran '/etc/init.d/exim stop' >>>- as root, I ran 'exim -bd -d"+all">/tmp/ex.file 2>&1' >>> >>>- as a normal user, I ran 'fetchmail' >>> In the past, this would result in an AVC error; but not this time. >>> BTW, there was one new message in my mail file as a result of this. >> Sadly, starting exim in that way will not give it the same SELinux context >> as it would get when run by the init process. If you stop the service and >> "service exim start", it should get its old context, and the AVC messages >> should return. That'll get you back to where you can debug the problem. >> >> -- >> fedora-list mailing list >> fedora-list@redhat.com >> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list >> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines >> > Just compress the log file. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On Mon, Jul 27, 2009 at 6:34 AM, Daniel J Walsh wrote: > On 07/26/2009 05:45 PM, Frank Chiulli wrote: >> Sorry for the delay in responding. I've been on the road and unable >> to access my Fedora box. So after a little grief with SELinux and >> permissions I have a log file of exim. I'd post it here but it's 724 >> lines long. I looked for boot in the file but came up empty. Is >> there some snippet of the file that I could post? >> >> Frank >> > Just compress the log file. > I've attached the compressed log file. Frank exim_debug.log.bz2 Description: BZip2 compressed data -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Fwd: exim: SELinux
Probably should have posted to this list first. Frank -- Forwarded message -- From: Frank Chiulli Date: Mon, Jul 13, 2009 at 5:17 AM Subject: Re: exim: SELinux To: Didar Hossain Cc: Fedora Infrastructure Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain wrote: > On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli wrote: >> Thomas, >> Thanks for the suggestion. Unfortunately it did not work. I'm still >> getting the same error. >> >> Frank > > Is Exim not executing it's job as it is supposed to - as in delivery > of mail is hampered by this error? > > I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is > not supposed to be related to the regular functioning of Exim. > > Didar > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett wrote: > Don't mean to be completely rude but doesn't this belong on a support > forum? > > On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: >> Didar, >> Mail is arriving. I just get one SELinux message for every mail message. >> >> I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. >> >> Frank >> >> On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain >> wrote: >> > On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli >> > wrote: >> >> Thomas, >> >> Thanks for the suggestion. Unfortunately it did not work. I'm still >> >> getting the same error. >> >> >> >> Frank >> > >> > Is Exim not executing it's job as it is supposed to - as in delivery >> > of mail is hampered by this error? >> > >> > I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is >> > not supposed to be related to the regular functioning of Exim. >> > >> > Didar >> > >> >> ___ >> Fedora-infrastructure-list mailing list >> fedora-infrastructure-l...@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/13/2009 08:24 AM, Frank Chiulli wrote: > I realized that just before I received your email and did post to > fedora-list. My mistake and thanks for the heads up. > > Frank > > On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett > wrote: >> Don't mean to be completely rude but doesn't this belong on a support >> forum? >> >> On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: >>> Didar, >>> Mail is arriving. I just get one SELinux message for every mail message. >>> >>> I agree...exim should not be referencing /boot AFAIK. But I'm not an >>> expert. >>> >>> Frank >>> >>> On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain >>> wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli wrote: > Thomas, > Thanks for the suggestion. Unfortunately it did not work. I'm still > getting the same error. > > Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is not supposed to be related to the regular functioning of Exim. Didar >>> ___ >>> Fedora-infrastructure-list mailing list >>> fedora-infrastructure-l...@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list >> > I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Nigel, No reference to boot in the exim.conf. That was one of the first things that I checked. Frank On Mon, Jul 13, 2009 at 6:06 AM, Nigel Metheringham wrote: > > On 13 Jul 2009, at 13:17, Frank Chiulli wrote: >> >> Mail is arriving. I just get one SELinux message for every mail message. >> >> I agree...exim should not be referencing /boot AFAIK. But I'm not an >> expert. > > > Without having seen the config I can only make wild guesses... > > However the wild guess I would make is that exim is doing a check for > available space in the spool and log directories, and this is triggering the > SELinux check on the statvfs() call. > > It is a wild guess though :-) > > Can you make sure that there are no references to boot in the config files > > Nigel. > -- > [ Nigel Metheringham nigel.methering...@intechnology.com ] > [ - Comments in this message are my own and not ITO opinion/policy - ] > > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
Here is the original post: This is a recently installed/patched F11 system. It was a fresh install to one disk leaving my home directory untouched on another disk. Today, I installed exim and removed sendmail via yum at the command line. I am using the same exim.conf file that I had used with F10 after having compared it to the original one. I am now receiving the following message when I attempt to retrieve mail from my ISP: Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim (exim_t) "getattr" boot_t. For complete SELinux messages. run sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Summary: SELinux is preventing exim (exim_t) "getattr" boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Alert Count 289 First SeenSun Jul 12 14:22:12 2009 Last Seen Sun Jul 12 14:23:53 2009 Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied { getattr } for pid=2508 comm="exim" path="/boot" dev=sda1 ino=2 scontext=unconfined_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003 syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4 a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim" exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null) Frank On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh wrote: > On 07/13/2009 08:24 AM, Frank Chiulli wrote: >> I realized that just before I received your email and did post to >> fedora-list. My mistake and thanks for the heads up. >> >> Frank >> >> On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett >> wrote: >>> Don't mean to be completely rude but doesn't this belong on a support >>> forum? >>> >>> On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain wrote: > On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli > wrote: >> Thomas, >> Thanks for the suggestion. Unfortunately it did not work. I'm still >> getting the same error. >> >> Frank > Is Exim not executing it's job as it is supposed to - as in delivery > of mail is hampered by this error? > > I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is > not supposed to be related to the regular functioning of Exim. > > Didar > ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list >>> >> > I am missing the first email in this chain. What AVC are you seeing from > exim when mail arrives? > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On Mon, 2009-07-13 at 13:05 -0700, Frank Chiulli wrote: > Nigel, > No reference to boot in the exim.conf. That was one of the first > things that I checked. > Could there be a redirection (e.g. via /etc/aliases) or a .forward file referring to /boot somewhere on your system? It would require having an account within /boot which in itself would be a bit odd. Alternatively, try running exim with debugging cranked up in a terminal session, e.g: exim -bd -d"+all" >/tmp/ex.file 2>&1 Then try accessing mail from your isp using a separate session. Once done (or it has failed), control-c the above session and look in the 'ex.file' to see where /boot is being used. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/13/2009 04:06 PM, Frank Chiulli wrote: Here is the original post: This is a recently installed/patched F11 system. It was a fresh install to one disk leaving my home directory untouched on another disk. Today, I installed exim and removed sendmail via yum at the command line. I am using the same exim.conf file that I had used with F10 after having compared it to the original one. I am now receiving the following message when I attempt to retrieve mail from my ISP: Jul 12 14:26:36 flinux setroubleshoot: SELinux is preventing exim (exim_t) "getattr" boot_t. For complete SELinux messages. run sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad sealert -l e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Summary: SELinux is preventing exim (exim_t) "getattr" boot_t. Detailed Description: SELinux denied access requested by exim. It is not expected that this access is required by exim and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextunconfined_u:system_r:exim_t:s0 Target Contextsystem_u:object_r:boot_t:s0 Target Objects/boot [ dir ] Sourceexim Source Path /usr/sbin/exim Port Host flinux Source RPM Packages exim-4.69-10.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPMselinux-policy-3.6.12-62.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name flinux Platform Linux flinux 2.6.29.5-191.fc11.i686.PAE #1 SMP Tue Jun 16 23:19:53 EDT 2009 i686 athlon Alert Count 289 First SeenSun Jul 12 14:22:12 2009 Last Seen Sun Jul 12 14:23:53 2009 Local ID e699bb55-c0dc-4bbf-a57e-3d82d6dadcad Line Numbers Raw Audit Messages node=flinux type=AVC msg=audit(1247433833.210:331): avc: denied { getattr } for pid=2508 comm="exim" path="/boot" dev=sda1 ino=2 scontext=unconfined_u:system_r:exim_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir node=flinux type=SYSCALL msg=audit(1247433833.210:331): arch=4003 syscall=195 success=no exit=-13 a0=bfa2e2c2 a1=bfa2e6b8 a2=b7dbfff4 a3=0 items=0 ppid=2447 pid=2508 auid=500 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=1 comm="exim" exe="/usr/sbin/exim" subj=unconfined_u:system_r:exim_t:s0 key=(null) Frank On Mon, Jul 13, 2009 at 8:02 AM, Daniel J Walsh wrote: On 07/13/2009 08:24 AM, Frank Chiulli wrote: I realized that just before I received your email and did post to fedora-list. My mistake and thanks for the heads up. Frank On Mon, Jul 13, 2009 at 5:22 AM, David JM Emmett wrote: Don't mean to be completely rude but doesn't this belong on a support forum? On Mon, 2009-07-13 at 05:17 -0700, Frank Chiulli wrote: Didar, Mail is arriving. I just get one SELinux message for every mail message. I agree...exim should not be referencing /boot AFAIK. But I'm not an expert. Frank On Mon, Jul 13, 2009 at 2:14 AM, Didar Hossain wrote: On Mon, Jul 13, 2009 at 5:41 AM, Frank Chiulli wrote: Thomas, Thanks for the suggestion. Unfortunately it did not work. I'm still getting the same error. Frank Is Exim not executing it's job as it is supposed to - as in delivery of mail is hampered by this error? I am no SELinux or Exim expert, but, AFAIK the "/boot" directory is not supposed to be related to the regular functioning of Exim. Didar ___ Fedora-infrastructure-list mailing list fedora-infrastructure-l...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list I am missing the first email in this chain. What AVC are you seeing from exim when mail arrives? I think these usually happen when the user is listing / ls -lZ / Could cause this type of AVC. Of if the confined application was started when it's Current Working Directory was the /boot directory. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
John, I tried as you suggested below. The result...no errors!!! Ok so now I'm confused. exim is normally started at boot time by /etc/init.d/exim. There is no reference to boot in that script. That script is part of the exim package. Here's what I did: - as root, I ran '/etc/init.d/exim stop' - as root, I ran 'exim -bd -d"+all" >/tmp/ex.file 2>&1' - as a normal user, I ran 'fetchmail' In the past, this would result in an AVC error; but not this time. BTW, there was one new message in my mail file as a result of this. Frank On Tue, Jul 14, 2009 at 12:33 AM, John Horne wrote: > On Mon, 2009-07-13 at 13:05 -0700, Frank Chiulli wrote: >> Nigel, >> No reference to boot in the exim.conf. That was one of the first >> things that I checked. >> > Could there be a redirection (e.g. via /etc/aliases) or a .forward file > referring to /boot somewhere on your system? It would require having an > account within /boot which in itself would be a bit odd. > > Alternatively, try running exim with debugging cranked up in a terminal > session, e.g: > > exim -bd -d"+all" >/tmp/ex.file 2>&1 > > Then try accessing mail from your isp using a separate session. Once > done (or it has failed), control-c the above session and look in the > 'ex.file' to see where /boot is being used. > > > > John. > > -- > --- > John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 > E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 > > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: exim: SELinux
On 07/14/2009 07:33 PM, Frank Chiulli wrote: Here's what I did: - as root, I ran '/etc/init.d/exim stop' - as root, I ran 'exim -bd -d"+all">/tmp/ex.file 2>&1' - as a normal user, I ran 'fetchmail' In the past, this would result in an AVC error; but not this time. BTW, there was one new message in my mail file as a result of this. Sadly, starting exim in that way will not give it the same SELinux context as it would get when run by the init process. If you stop the service and "service exim start", it should get its old context, and the AVC messages should return. That'll get you back to where you can debug the problem. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines