Bug 770751

Summary: selinux prevents procmail to talk to cyrus and logs nothing
Product: [Fedora] Fedora Reporter: Laurent Jacquot <jk>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.10.0-71.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-05 19:00:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Laurent Jacquot 2011-12-28 23:06:48 UTC 
Description of problem:

when configuring the following mail chain:
postfix=>procmail=>cyrus-imap, selinux prevents procmail from executing cyrus-deliver.
The access is denied and no log appears even using audit2allow. Switching to permissive works

Version-Release number of selected component (if applicable):

selinux-policy-3.10.0-67.fc16.noarch
selinux-policy-targeted-3.10.0-67.fc16.noarch
libselinux-2.1.6-5.fc16.i686
libselinux-python-2.1.6-5.fc16.i686
libselinux-utils-2.1.6-5.fc16.i686

postfix-2.8.7-1.fc16.i686

procmail-3.22-27.fc16.i686

cyrus-imapd-2.4.12-2.fc16.i686


Postifx is configured to hand over the mail to procmail:

#extract from /etc/postfix/main.cf
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_transport = procmail

#extract /etc/postfix/master.cf
procmail  unix  -       n       n       -       20      pipe
    flags=R user=cyrus argv=/usr/bin/procmail -o SENDER=${sender} -m USER=${user} EXTENSION=${extension} /etc/procmailrc


procmail is there to filter out the spam and deliver the mail to cyrus:

#cat /etc/procmailrc
LOGFILE="/tmp/procmail"
VERBOSE=yes 

:0 fw
| /usr/bin/spamc -u $USER -d 127.0.0.1 -p 783

:0:
* ^X-Spam-Status: Yes
/var/spool/mail/spam

:0w
| /usr/lib/cyrus-imapd/deliver -e -a $USER -m user.$USER


cyrus-imapd is configured to listen for new mail on the following socket

#extract from cyrus.conf
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1


How reproducible:

As soon as setenforce is 1 the procmail log says
#cat /tmp/procmail
couldn't connect to lmtpd: Permission denied
procmail: Program failure (75) of "/usr/lib/cyrus-imapd/deliver"
 Subject: De
  Folder: /var/spool/mail/cyrus						    747

and mail is not delivered to the intended recipient.
  

SELINUX is not logging any failure (so I cannot tune the conf using a local module):
#audit2allow -l -a -m local

module local 1.0;


**If I setenforce to 0, the everything works**

How can I convince selinux that procmail is allowed to talk to /var/lib/imap/socket/lmtp ?

Additional Infos:
#ll-Z /var/lib/imap/socket/lmtp
srwxrwxrwx. root root system_u:object_r:cyrus_var_lib_t:s0 /var/lib/imap/socket/lmtp
#ps -efZ | grep cyrus
system_u:system_r:cyrus_t:s0    cyrus 
...
#ps -efZ |grep postfix
ps -efZ |grep postfix
system_u:system_r:postfix_master_t:s0 root ... /usr/libexec/postfix/master
system_u:system_r:postfix_qmgr_t:s0 postfix ... qmgr -l -t fifo -u
system_u:system_r:postfix_pickup_t:s0 postfix ... pickup -l -t fifo -u
Comment 1 Daniel Walsh 2011-12-29 17:42:42 UTC 
See if there are AVC messages in /var/log/message

Did you update from F15 to F16?
Comment 2 Laurent Jacquot 2011-12-30 09:21:12 UTC 
Yes, there are avc in /var/log/message, I really should have looked there before filling the bug! Sorry about that. Here they are

Dec 28 21:23:49 jack kernel: [381943.896871] type=1400 audit(1325103829.862:13): avc:  denied  { write } for  pid=15411 comm="deliver" name="lmtp" dev=dm-12 ino=2752831 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:cyrus_var_lib_t:s0 tclass=sock_file
Dec 28 21:23:49 jack kernel: [381943.896909] type=1400 audit(1325103829.862:14): avc:  denied  { connectto } for  pid=15411 comm="deliver" path="/var/lib/imap/socket/lmtp" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:cyrus_t:s0 tclass=unix_stream_socket

Why audit2allow did not catch the avc and propose a module to load?

I used preupgrade to move from f15 to 16 (but I don't remember if I relabelled the whole fs). Anyway, cyrus-imap is a fresh install from last week.
Comment 3 Laurent Jacquot 2012-01-01 17:21:46 UTC 
I created a local module to upgrade my policy so that procmail can talk to cyrus.
here is the module audit2allow create from the logs:
#cat local.te

module local 1.0;

require {
	type cyrus_t;
	type cyrus_var_lib_t;
	type procmail_t;
	class sock_file write;
	class unix_stream_socket connectto;
}

#============= procmail_t ==============
allow procmail_t cyrus_t:unix_stream_socket connectto;
allow procmail_t cyrus_var_lib_t:sock_file write;

I inserted it using the following commands:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

The avc are gone, but I still get a permission denied:
Jan  1 18:04:09 jack deliver[24809]: connect(/var/lib/imap/socket/lmtp) failed: Permission denied

setenforce 0 makes it work, so this is definitively related.

I noticed also that the logs are talking about a socket whose label is cyrus_t, 

Dec 28 21:23:49 jack kernel: [381943.896909] type=1400
audit(1325103829.862:14):  denied  { connectto } for  pid=15411
comm="deliver" path="/var/lib/imap/socket/lmtp"
scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:cyrus_t:s0
tclass=unix_stream_socket



but ll -Z /var/lib/imap/socket/lmtp says cyrus_var_lib_t
Comment 4 Miroslav Grepl 2012-01-02 08:31:57 UTC 
Fixed in selinux-policy-3.10.0-70.fc16
Comment 5 Laurent Jacquot 2012-01-02 18:34:49 UTC 
I would be glad to test the selinux-policy-3.10.0-70.fc16 package, but could not find it neither in updates-testings nor koji.

There is though a selinux-policy-3.10.0-70.fc17 and even a selinux-policy-3.10.0-71.fc17 in koji. 
What is the danger of installing it on my system (used for home production)?
Comment 6 Miroslav Grepl 2012-01-03 06:50:48 UTC 
I am going to build it today. I mean F16 build. F17 build won't work on your F16 machine.
Comment 7 Laurent Jacquot 2012-01-03 18:51:20 UTC 
I tested the selinux-policy-3.10.0-71.fc16 from koji.
I confirm it corrects the issue. For the record I did:

remove my local customization
#semodule -r local

install the packages
#yum install selinux-policy-3.10.0-70.fc16.noarch.rpm selinux-policy-targeted-3.10.0-70.fc16.noarch.rpm

reload cyrus
#systemctl stop cyrus-imapd.service
#systemctl start cyrus-imapd.service

and test mail delivery

As far as I am concerned, it's CLOSED - RESOLVED

Kudos to the selinux-policy team!
Comment 8 Fedora Update System 2012-01-03 23:47:33 UTC 
selinux-policy-3.10.0-71.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-71.fc16
Comment 9 Fedora Update System 2012-01-11 06:18:00 UTC 
selinux-policy-3.10.0-71.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.