Re: SELinux Exim Problem
- From: Didar Hossain <didar.hossain@xxxxxxxxx>
- Date: Tue, 8 Sep 2009 13:12:12 +0530
On Mon, Sep 7, 2009 at 4:08 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote:
On 09/07/2009 04:34 AM, Didar Hossain wrote:
On Sat, Sep 5, 2009 at 9:45 PM, Frank Chiulli<frankc.fedora@xxxxxxxxx> wrote:Probably some api that exim is calling is looking at the mounted file systems which is causing it to look at /boot.
On F11 when exim attempts to retrieve mail from my ISP, I get the following:
How are you pulling the mail from your ISP?
Summary:
SELinux is preventing exim (exim_t) "getattr" boot_t.
Detailed Description:
SELinux denied access requested by exim. It is not expected that this
access is required by exim and this access may signal an intrusion
attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.
Additional Information:
Source Context system_u:system_r:exim_t:s0
Target Context system_u:object_r:boot_t:s0
Target Objects /boot [ dir ]
Source exim
Source Path /usr/sbin/exim
Port <Unknown>
Host flinux
Source RPM Packages exim-4.69-10.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-80.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name flinux
Platform Linux flinux 2.6.29.6-217.2.16.fc11.i686.PAE #1
SMP Mon Aug 24 17:16:21 EDT 2009 i686 athlon
Alert Count 327
First Seen Sun 12 Jul 2009 05:09:10 PM PDT
Last Seen Sat 05 Sep 2009 09:05:41 AM PDT
Local ID c330c7e2-7fd7-45ae-8ebb-8de1def6e145
Line Numbers
Raw Audit Messages
node=flinux type=AVC msg=audit(1252166741.77:28): avc: denied {
getattr } for pid=2279 comm="exim" path="/boot" dev=sda1 ino=2
scontext=system_u:system_r:exim_t:s0
tcontext=system_u:object_r:boot_t:s0 tclass=dir
node=flinux type=SYSCALL msg=audit(1252166741.77:28): arch=40000003
syscall=195 success=no exit=-13 a0=bfbe1292 a1=bfbe1688 a2=756ff4 a3=0
items=0 ppid=1489 pid=2279 auid=4294967295 uid=93 gid=93 euid=93
suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 tty=(none) ses=4294967295
comm="exim" exe="/usr/sbin/exim" subj=system_u:system_r:exim_t:s0
key=(null)
=====
Other information:
RPMs:
exim-4.69-10.fc11.i586
selinux-policy-3.6.12-80.fc11.noarch
selinux-policy-targeted-3.6.12-80.fc11.noarch
The mail does get through but I get an SELinux error for each message.
I've looked for '/boot' in exim config files but came up empty.
I installed F11 but kept my home directory which is on a different disk.
Since I have not heard anyone else complaining about this, I figure
that it's my configuration. I just don't know where else to look.
Frank
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Do you think we need a Bug filed for this? An MTA doing a "getattr" on
/boot seems a little unnecessary to me.
I think we can allow this for now.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
- Follow-Ups:
- Re: SELinux Exim Problem
- From: John Horne
- Re: SELinux Exim Problem
- References:
- SELinux Exim Problem
- From: Frank Chiulli
- Re: SELinux Exim Problem
- From: Didar Hossain
- Re: SELinux Exim Problem
- From: Daniel J Walsh
- SELinux Exim Problem
- Prev by Date: pseudo terminals
- Next by Date: Re: F10 Update errors
- Previous by thread: Re: SELinux Exim Problem
- Next by thread: Re: SELinux Exim Problem
- Index(es):
Relevant Pages
|
