Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1715569
Summary: | Can't use lmtp socket for delivering mail via fetchmail | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | info <info> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 30 | CC: | dwalsh, lvrabec, mgrepl, plautrba, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.3-39.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-20 02:54:51 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
info@kobaltwit.be
2019-05-30 16:35:21 UTC
Note the local fix suggested by the audit log is not working: # ausearch -c 'fetchmail' --raw | audit2allow -M my-fetchmail Nothing to do So I'm not sure how to work around this atm other than via going into permissive mode ? Hi, It is possible the audit logs have been rotated. You can create the module this way, having its content under control rather than using audit2allow -M: # cat << EOF > fetchmail-dovecot.te module fetchmail-dovecot 1.0; require { type dovecot_var_run_t; type fetchmail_t; class sock_file write; } #============= fetchmail_t ============== allow fetchmail_t dovecot_var_run_t:sock_file write; EOF # make -f /usr/share/selinux/devel/Makefile fetchmail-dovecot.pp # semodule -i fetchmail-dovecot.pp try the scenario again and check if all denials are gone. Please note selinux-policy-devel package is required to build a custom module. With the policy from comment 2 in place I now get this one still: # sealert -l 783f2191-d981-4fa5-b871-b3b6b7eea78c /usr/bin/sealert:32: DeprecationWarning: Importing dbus.glib to use the GLib main loop with dbus-python is deprecated. Instead, use this sequence: from dbus.mainloop.glib import DBusGMainLoop DBusGMainLoop(set_as_default=True) import dbus.glib SELinux belet fetchmail connectto toegang op unix_stream_socket /run/dovecot/lmtp. ***** Plugin catchall_boolean (met 89.3 vertrouwen) suggereert ************ Als je enable cluster mode for daemons. wilt Dan je moet dit aan SELinux doorgeven door het aanzetten van de 'daemons_enable_cluster_mode' boolean. Doe setsebool -P daemons_enable_cluster_mode 1 ***** Plugin catchall (met 11.6 vertrouwen) suggereert ******************** Als je denkt dat fetchmail standaard connectto toegang moet hebben tot de lmtp unix_stream_socket. Dan je moet dit melden als een fout. Je kunt een locale tactiek module genereren om deze toegang toe te staan. Doe sta deze toegang nu toe door het uitvoeren van: # ausearch -c 'fetchmail' --raw | audit2allow -M my-fetchmail # semodule -X 300 -i my-fetchmail.pp Aanvullende informatie: Broncontext system_u:system_r:fetchmail_t:s0 Doelcontext system_u:system_r:dovecot_t:s0 Doelobjecten /run/dovecot/lmtp [ unix_stream_socket ] Bron fetchmail Bronpad fetchmail Poort <Unknown> Host mail-new.kobaltwit.be Bron RPM-pakketten Doel RPM-pakketten Beleid RPM selinux-policy-3.14.3-37.fc30.noarch SELinux aangezet True Beleidstype targeted Afdwingende modus Enforcing Hostnaam mail-new.kobaltwit.be Platform Linux mail-new.kobaltwit.be 5.0.16-300.fc30.x86_64 #1 SMP Tue May 14 19:33:09 UTC 2019 x86_64 x86_64 Aantal waarschuwingen 5 Eerst gezien op 2019-06-02 12:30:22 CEST Laatst gezien op 2019-06-05 16:36:44 CEST Locale ID 783f2191-d981-4fa5-b871-b3b6b7eea78c Onbewerkte auditboodschappen type=AVC msg=audit(1559745404.532:16297): avc: denied { connectto } for pid=343 comm="fetchmail" path="/run/dovecot/lmtp" scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:dovecot_t:s0 tclass=unix_stream_socket permissive=0 Hash: fetchmail,fetchmail_t,dovecot_t,unix_stream_socket,connectto After doing the suggested audit2allow/semodule dance fetchmail did work. So it looks like there are only two denials to fix. commit 64d8b199df391a3c91f33c9299e90ac20744d8ad (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Mon Jun 10 13:51:16 2019 +0200 Allow fetchmail_t to connect to dovecot stream sockets BZ(1715569) FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472 selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |