fetchmail is blocked by SELinux

marozsas · 05-12-2006, 06:57 AM

Hi fellows,

I am having a problem with fetchmail not working at boot time. I figure out the problem is related to SElinux.

The facts:

I create a "/etc/fetchmailrc" file and put "/usr/bin/fetchmail -f /etc/fetchmailrc" at the end of "/etc/rc.local" in FC5. After the computer finish the boot, I can see fetchmail is running, but there is no messages at "/var/log/fetchamail.log" as expected. No avc error messages in /var/log/messages, either.

Code:

bash-3.1$ ls -l /var/log/fetchmail.log
-rw-r--r-- 1 root root 0 May 10 04:56 /var/log/fetchmail.log
bash-3.1$ ps -ef | grep -i fetch
root      2058     1  0 04:56 ?        00:00:00 /usr/bin/fetchmail -f /etc/fetchmailrc
miguel    3983  3967  0 08:01 pts/1    00:00:00 grep -i fetch
bash-3.1$ ls -lZ /var/log/fetchmail.log /usr/bin/fetchmail
-rwxr-xr-x  root     root     system_u:object_r:fetchmail_exec_t /usr/bin/fetchmail
-rw-r--r--  root     root     system_u:object_r:var_log_t      /var/log/fetchmail.log
bash-3.1$ ps -efZ | grep -i fetch
system_u:system_r:fetchmail_t   root      2058     1  0 04:56 ?        00:00:00 /usr/bin/fetchmail -f /etc/fetchmailrc
user_u:system_r:unconfined_t    miguel    3988  3967  0 08:03 pts/1    00:00:00 grep -i fetch
bash-3.1$

When, as root, I kill the fetchmail process, the following message is displayed in /var/log/message, only after fetchamail is killed, not before:

Code:

May 10 08:04:00 gold kernel: audit(1147259040.523:514): avc:  denied  { write } for  pid=2058 comm="fetchmail" name="[12088]" dev=pipefs ino=12088 scontext=system_u:system_r:fetchmail_t:s0 tcontext=system_u:system_r:fetchmail_t:s0 tclass=fifo_file

Now, as root, if I start fetchmail in a terminal, it works ! All e-mail messages are downloaded from the several POP/IMAP servers listed at /etc/fetchmailrc and delivered to the users. The log file now has all details of the downloaded messages.

Code:

[root@gold ~]# fetchmail -f /etc/fetchmailrc
fetchmail: WARNING: Running as root is discouraged.
[root@gold ~]# ps -efZ | grep fetchmail | grep -v grep
user_u:system_r:unconfined_t    root      4037     1  0 08:04 ?        00:00:00 fetchmail -f /etc/fetchmailrc
[root@gold ~]# ls -lZ /var/log/fetchmail.log
-rw-r--r--  root     root     system_u:object_r:var_log_t      /var/log/fetchmail.log
[root@gold ~]# ls -l /var/log/fetchmail.log
-rw-r--r-- 1 root root 2900 May 10 08:04 /var/log/fetchmail.log
[root@gold ~]#

So, the question is: How to start fetchmail at boot time as the same previlegies as root in a terminal ?

I read the SElinux FAQ but I can't find a way to solve this. fetchmail is not listed as a service in system-config-security tool, so I am lost.

Any ideas and comments will be welcome !

thanks,

billymayday · 05-13-2006, 05:16 PM

I start fetchmail from cron with an

@reboot fetchmail -d 600

statement

.fetchmailrc sits in /root

Works fine under SELinux, but perhaps not the ideal method

mcc28 · 05-14-2006, 07:20 AM

you may have the same problem as me...

run:

service fetchmail status

if it says locked & dead

run

service fetchmail cleanup

then

service fetchmail start

(all above as root)

The problem is SElinux but as yet Idon't know how to solve, I have posted a simlar message in FedoraForum-->Security

Mark

marozsas · 05-15-2006, 07:21 AM

Quote:

Originally Posted by billymayday

I start fetchmail from cron with an

@reboot fetchmail -d 600

statement

.fetchmailrc sits in /root

Works fine under SELinux, but perhaps not the ideal method

Yeah, this works for me too. Thanks for the hint.

This is not the ideal method but it is better than nothing. At least it works !

Code:

@reboot fetchmail -f /etc/fetchmailrc

billymayday · 05-16-2006, 04:07 AM

Nice to get some completed feedback. Thanks