Bug 1807443
| Summary: | SELinux prevents Postfix from writing to Cyrus IMAP's LMTP socket | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nils Philippsen <nphilipp> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 31 | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.4-50.fc31 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-02 09:54:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've submitted a PR to address the issue: https://github.com/fedora-selinux/selinux-policy-contrib/pull/211 commit 08def7c154b5be4ce7b11643d71d59fe98ea2bfc (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date: Wed Feb 26 20:52:09 2020 +0100
Allow postfix stream connect to cyrus through runtime socket
Add cyrus_runtime_stream_connect() interface.
Allow postfix_smtp_t connect to cyrus_t through a socket in the runtime
filesystem using the cyrus_runtime_stream_connect() interface.
Resolves: rhbz#1807443
FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-5afc749ee7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5afc749ee7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-5afc749ee7 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Recently, email started not being delivered from Postfix to my local Cyrus IMAP mailbox. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.14.4-48.fc31.noarch cyrus-imapd-3.0.13-1.fc31.x86_64 postfix-3.4.8-1.fc31.x86_64 How reproducible: Reproducible Steps to Reproduce: 1. Configure Postfix and Cyrus IMAP so that the former delivers mails to the latter via its LMTP socket file 2. Drop some mail into Postfix to be delivered to the local Cyrus IMAP instance Actual results: --- 8< --- /var/log/maillog --- Feb 26 11:36:03 possum postfix/lmtp[5912]: C735D10FE82: to=<20040817114129.ge13211>, relay=none, delay=217495, delays=217495/0.55/0.01/0, dsn=4.4.1, status=deferred (connect to possum.tiptoe.de[/run/cyrus/socket/lmtp]: Permission denied) --- >8 ------------------------ --- 8< --- ausearch -m avc -sv no ... --- ---- time->Wed Feb 26 11:36:03 2020 type=AVC msg=audit(1582713363.124:3384): avc: denied { write } for pid=5910 comm="lmtp" name="lmtp" dev="tmpfs" ino=122681 scontext=system_u:system_r:postfix_smtp_t:s0 tcontext=system_u:object_r:cyrus_var_run_t:s0 tclass=sock_file permissive=0 ---- --- >8 ---------------------------------- Expected results: No error messages, mails get delivered. Additional info: - Same issue with -49. - Fixed with this local SELinux module loaded: --- 8< --- local-postfix-ltmp.te --- module local-postfix-ltmp 1.0; require { type cyrus_var_run_t; type postfix_smtp_t; class sock_file write; } #============= postfix_smtp_t ============== allow postfix_smtp_t cyrus_var_run_t:sock_file write; --- >8 -------------------------------