Bug 161281
| Summary: | SElinux policy does not provide for cyrus imap server | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Duncan Gibb <redhat-bugs> | ||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4 | CC: | cushing, jeff, lindstrm, pchase2 | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.27.1-1.1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-09-27 20:44:21 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Fixed in selinux-policy-targeted-1.23.18-17 selinux-policy-targeted-1.23.18-17 still doesn't fix the socket opening issue,
at least on my machine. When imapd is started, the following appears in the
audit log:
type=AVC msg=audit(1120348716.353:6576738): avc: denied { name_bind } for
pid=7719 comm="cyrus-master" src=143 scontext=root:system_r:cyrus_t
tcontext=system_u:object_r:pop_port_t tclass=tcp_socket
I think login.te needs something along the lines of:
allow cyrus_t pop_port_t:tcp_socket name_bind;
The problem here is an error in policy/domains/programs/cyrus.te At line 29 (in version 1.23.18-17) access to pop_port_t for cyrus_t is made dependent on use_pop, which is undefined. Simply deleting the offending ifdef() clause and reloading fixed the issue for me. Fixed in selinux-policy-targeted-1.24-3 Sorry Dan, it still does not appear fixed. I have
selinux-policy-targeted-1.25.1-7, did a make relabel and rebooted twice, and I
still get an error when trying to create a mailbox. Here is what I get in my
audit log:
type=AVC msg=audit(1121287291.593:456000): avc: denied { search } for
pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497
scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir
type=SYSCALL msg=audit(1121287291.593:456000): arch=40000003 syscall=39
success=no exit=-13 a0=bfbb4249 a1=1ed a2=8150454 a3=bfbb4258 items=1 pid=2306
auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12
comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=PATH msg=audit(1121287291.593:456000): item=0 name="/var/spool/imap"
inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1121287291.597:456001): avc: denied { search } for
pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497
scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir
type=SYSCALL msg=audit(1121287291.597:456001): arch=40000003 syscall=195
success=no exit=-13 a0=bfbb4249 a1=bfbb1d7c a2=505ff4 a3=bfbb1d7c items=1
pid=2306 auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12
fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=PATH msg=audit(1121287291.597:456001): item=0 name="/var/spool/imap"
inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00
I'll also note that /usr/lib/cyrus-imapd/mkimap did make the "stage." directory,
but did not make the "user" directory. I manually created it myself.
Created attachment 117113 [details]
Working cyrus.te
Added in selinux-policy-targeted-1.25.3-5 Thanks for the fix Hi Daniel; You've got a typo. This line: ifdef(`saslaudthd.te', ` Should be: ifdef(`saslauthd.te', ` Needless to say, authentication doesn't work too well with the broken version. Rgds, Patrick |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 Description of problem: cyrus doesn't seem to get all the permissions it needs when selinux is set to "enforcing" mode with the default targetted policy. In particular, /var/spool/imap is inaccessible to the daemon, and it is unable to bind to the imap(s) sockets. Version-Release number of selected component (if applicable): selinux-policy-targeted(-sources)-1.23.18-12 How reproducible: Always Steps to Reproduce: 1. Install cyrus, and configure it. 2. setenforce 1 3. service cyrus-imapd start Actual Results: /var/log/maillog contains things like master[18294]: unable to create imap listener socket: Permission denied master[18294]: unable to create imaps listener socket: Permission denied and imap[11585]: IOERROR: creating directory /var/spool/imap: Permission denied cyradm is unable to create mailboxes. IMAP clients are unable to connect. If cyrus was already running when enforcement was turned on, IMAP operations that previously worked (open, create mailbox folders) fail due to "system I/O error" or less well-described errors. /var/log/maillog contains things like imap[18433]: IOERROR: opening /var/spool/imap/d/user/duncan/Archive/Lists/ACPI/cyrus.header: Permission denied and /var/log/audit/audit.log contains things like type=PATH msg=audit(1119394938.613:7716384): item=0 name="/var/spool/imap/d/user/duncan/Archive/cyrus.header" inode=163340 dev=fd:00 mode=0100600 ouid=76 ogid=12 rdev=00:0 0 type=SYSCALL msg=audit(1119394938.613:7716384): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid= 12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=AVC msg=audit(1119394938.613:7716384): avc: denied { read write } for pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163340 scontext=root:system_r:cyrus_t t context=root:object_r:var_spool_t tclass=file type=PATH msg=audit(1119394938.615:7716405): item=0 name="/var/spool/imap/d/user/duncan/Archive/Family/cyrus.header" inode=163354 dev=fd:00 mode=0100600 ouid=76 ogid=12 rd ev=00:00 type=SYSCALL msg=audit(1119394938.615:7716405): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid= 12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=AVC msg=audit(1119394938.615:7716405): avc: denied { read write } for pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163354 scontext=root:system_r:cyrus_t t context=root:object_r:var_spool_t tclass=file type=PATH msg=audit(1119394938.617:7716426): item=0 name="/var/spool/imap/d/user/duncan/Archive/Friends/cyrus.header" inode=163357 dev=fd:00 mode=0100600 ouid=76 ogid=12 r dev=00:00 Expected Results: Cyrus should still work with selinux enforcement enabled. Additional info: I have tried to update the patch submitted by Fritz Elfert against bug #123293 (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=100484), but so far without success. I need an selinux expert.