Bug 504805

Summary: selinux is denying cyrus-master from binding the mupdate port
Product: Red Hat Enterprise Linux 5 Reporter: Karel Volný <kvolny>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: dkovalsk, mmalik, ohudlick, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 08:00:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Volný 2009-06-09 14:52:14 UTC 
Description of problem:
I am trying to reproduce a cyrus-imapd bug involving mupdate usage. However, I cannot get mupdate working with selinux enabled, because it denies cyrus-master to bind the mupdate port (both in master and client mupdate configuration).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-243.el5

How reproducible:
always

Steps to Reproduce:
1. create mupdate enabled cyrus-imapd configuration
(i.e. add "mupdate       cmd="mupdate -m" listen=3905 prefork=1" to "SERVICES" section in /etc/cyrus.conf to run in master mode, or create appropriate configuration in /etc/imapd.conf)
2. service cyrus-imapd start
3. grep cyrus /var/log/audit/audit.log | grep denied
4. grep denied /var/log/maillog

Actual results:
type=AVC msg=audit(1244558374.392:80): avc:  denied  { name_bind } for  pid=4515 comm="cyrus-master" src=3905 scontext=root:system_r:cyrus_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Jun  9 10:39:34 dell-pesc430-01 master[4515]: unable to create mupdate listener socket: Permission denied


Expected results:
(no errors reported, server listening on the appropriate port)

Additional info:
note that although 3905 is standard value, the port number may be reconfigured
Comment 1 Daniel Walsh 2009-06-10 18:34:18 UTC 
You can add port using 

semanage port -a -t mail_port_t -p tcp 3905

But is mupdate something I should have defined as a mail_port?  Or should I define its own port?  Any other programs need to use it?
Comment 6 Daniel Walsh 2009-06-19 11:03:58 UTC 
In cyrus policy it looks like the mail_port is defined as 2000, so I will add this port to the policy.
Comment 7 Daniel Walsh 2009-06-19 15:06:08 UTC 
Fixed in selinux-policy-2.4.6-248.el5
Comment 14 errata-xmlrpc 2009-09-02 08:00:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html