Bug 123293 - cyrus-imapd startup fails in selinux enforcing mode.
cyrus-imapd startup fails in selinux enforcing mode.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-16 00:44 EDT by Fritz Elfert
Modified: 2007-11-30 17:10 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 11:06:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Policy fixes for cyrus-imapd and sendmail. (3.22 KB, patch)
2004-05-23 17:49 EDT, Fritz Elfert
no flags Details | Diff

  None (edit)
Description Fritz Elfert 2004-05-16 00:44:58 EDT
Description of problem:
I'm trying to tighten up security on a FC2T3 based mail server.
When i set selinux to enforcing mode, during execution of the
cyrus-imapd init script, i get the following errors:

kernel: audit(1084687987.641:0): avc:  denied  { transition } for 
pid=1768 exe=/bin/su path=/bin/bash dev=hda2 ino=850340
scontext=system_u:system_r:initrc_su_t
tcontext=user_u:sysadm_r:sysadm_t tclass=process
su(pam_unix)[1766]: session closed for user cyrus
cyrus-imapd: error converting databases, check
/var/lib/imap/rpm/cvt_cyrusdb_all.log
cyrus-imapd: cyrus-imapd startup failed

Apparently, it looks like the init script is not allowd to run the
initial db-conversion script as user cyrus. If i comment-out the
offending line in the init script, reading:

su - cyrus -c "umask 166; /usr/lib/cyrus-imapd/cvt_cyrusdb_all >
/var/lib/imap/rpm/cvt_cyrusdb_all.log 2>&1" < /dev/null

cyrus-imapd starts up correctly. Of course, no db-conversion is
performed. But since this only applies to older cyrus db's and only
needs to run once that is ok for me now. Unfortunately i don't know
(yet) how to modify the selinux policy to allow the execution of the
above line.

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.3-11

How reproducible:
Always

Steps to Reproduce:
1. chkconfig cyrus-imapd on
2. set selinux mode to enforcing
3. reboot
  
Actual results:
cyrus-imapd startup fails

Expected results:
cyrus-imapd startup succeeds

Additional info:
Comment 1 Fritz Elfert 2004-05-16 11:23:53 EDT
Got more issues when trying to actually deliver mail:

With selinux in enforcing mode, sendmail complains about an unsafe
domain socket /var/lib/imap/socket/lmtp and thus defers delivery.
Furthermore, in enforcing mode sm-client does not start up because
/sbin/restorecon /var/run/sm-client.pid fails.

Although the lmtp socket always has rwxrwxrwx (created by lmtpd),
sendmail does _not_ complain and correctly delivers mail via lmtp.

For completeness, here are the relevant changes for cyrus in my
sendmail.mc:

dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
define(`confLOCAL_MAILER',`cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS',`FILE /var/lib/imap/socket/lmtp')dnl
MAILER(cyrusv2)dnl

Comment 2 Fritz Elfert 2004-05-23 17:49:41 EDT
Created attachment 100484 [details]
Policy fixes for cyrus-imapd and sendmail.

The patch fixes selinux related errors that occur during mailbox administration
(cration of mailboxes via cyradm), imap-login and protocol-negotiation
(auth-stuff, SSL-stuff) and delivery by sendmail using lmtp. It does _not_ fix
the startup-failure in the initscript.

 -Fritz
Comment 3 Fritz Elfert 2004-05-26 00:31:23 EDT
As the described bug applies to FC2 release also, i changed it's 
version number to 2 so it hopefully gets some attention (at least my 
patch). 
 
-Fritz 
Comment 4 David Balažic 2004-06-09 03:11:22 EDT
I installed FC2 , on boot this is printed :

Starting sendmail:                                         [  OK  ]
Starting sm-client: /sbin/restorecon set context
/var/run/sm-client.pid-><<none>> failed:'Invalid argument'
                                                           [  OK  ]
Starting console mouse services:                           [  OK  ]

If this is a diffeent issue, please tell me so and I will report it as
a new bug.
Comment 5 Matthew Miller 2005-04-26 11:48:19 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 6 Duncan Gibb 2005-06-21 20:13:16 EDT
In FC4 final, cyrus starts OK, but can't do anything if selinux is enabled.  See
bug #161281
Comment 7 Kirk Smith 2005-07-08 14:01:37 EDT
With selinux-policy-targeted.noarchv verstion 1.24-3, cyrus-imapd fails to work
here.  By adding the following lines to
/etc/selinux/targeted/src/policy/domains/program/cyrus.te, I was able to get it
to function properly.  The additional permitted operations all seem reasonable,
and now the audit log is quiet, and so far, everything works as expected.

allow cyrus_t cert_t:dir search;
allow cyrus_t cert_t:file { getattr read };
allow cyrus_t cert_t:lnk_file read;
allow cyrus_t urandom_device_t:chr_file { getattr read };
allow cyrus_t var_lib_t:dir { add_name remove_name write };
allow cyrus_t var_lib_t:file { create getattr lock read rename unlink write };
allow cyrus_t var_spool_t:dir search;
Comment 8 Christopher B. Calhoun 2005-10-26 15:10:17 EDT
Same issue here ...

I added:

allow postfix_master_t cyrus_t:unix_stream_socket connectto;
allow postfix_master_t cyrus_var_lib_t:dir search;
allow postfix_master_t cyrus_var_lib_t:sock_file write;
allow postfix_master_t var_lib_t:dir search;

Everything works great again with it enforced. Maybe these needed added to the
next targeted policy release?


Comment 9 Christopher B. Calhoun 2005-10-26 15:10:31 EDT
Same issue here ...

I added:

allow postfix_master_t cyrus_t:unix_stream_socket connectto;
allow postfix_master_t cyrus_var_lib_t:dir search;
allow postfix_master_t cyrus_var_lib_t:sock_file write;
allow postfix_master_t var_lib_t:dir search;

Everything works great again with it enforced. Maybe these needed added to the
next targeted policy release?
Comment 10 Daniel Walsh 2005-11-03 14:57:12 EST
Could you attach your avc messages. 
Comment 11 Daniel Walsh 2005-11-30 15:51:21 EST
Fixed in selinux-policy-targeted-1.27.1-2.14
Comment 13 Daniel Walsh 2006-05-05 11:06:24 EDT
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed

Note You need to log in before you can comment on or make changes to this bug.