Bug 161281 - SElinux policy does not provide for cyrus imap server
SElinux policy does not provide for cyrus imap server
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-21 20:09 EDT by Duncan Gibb
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.27.1-1.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-27 16:44:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Working cyrus.te (1.73 KB, text/plain)
2005-07-24 18:43 EDT, Patrick Chase
no flags Details

  None (edit)
Description Duncan Gibb 2005-06-21 20:09:26 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913

Description of problem:
cyrus doesn't seem to get all the permissions it needs when selinux is set to "enforcing" mode with the default targetted policy.  In particular, /var/spool/imap is inaccessible to the daemon, and it is unable to bind to the imap(s) sockets.

Version-Release number of selected component (if applicable):
selinux-policy-targeted(-sources)-1.23.18-12

How reproducible:
Always

Steps to Reproduce:
1. Install cyrus, and configure it.
2. setenforce 1
3. service cyrus-imapd start
  

Actual Results:  /var/log/maillog contains things like

master[18294]: unable to create imap listener socket: Permission denied
master[18294]: unable to create imaps listener socket: Permission denied

and

imap[11585]: IOERROR: creating directory /var/spool/imap: Permission denied


cyradm is unable to create mailboxes.  IMAP clients are unable to connect.

If cyrus was already running when enforcement was turned on, IMAP operations that previously worked (open, create mailbox folders) fail due to "system I/O error" or less well-described errors.  /var/log/maillog contains things like

imap[18433]: IOERROR: opening /var/spool/imap/d/user/duncan/Archive/Lists/ACPI/cyrus.header: Permission denied

and /var/log/audit/audit.log contains things like

type=PATH msg=audit(1119394938.613:7716384): item=0 name="/var/spool/imap/d/user/duncan/Archive/cyrus.header" inode=163340 dev=fd:00 mode=0100600 ouid=76 ogid=12 rdev=00:0
0
type=SYSCALL msg=audit(1119394938.613:7716384): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid=
12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=AVC msg=audit(1119394938.613:7716384): avc:  denied  { read write } for  pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163340 scontext=root:system_r:cyrus_t t
context=root:object_r:var_spool_t tclass=file
type=PATH msg=audit(1119394938.615:7716405): item=0 name="/var/spool/imap/d/user/duncan/Archive/Family/cyrus.header" inode=163354 dev=fd:00 mode=0100600 ouid=76 ogid=12 rd
ev=00:00
type=SYSCALL msg=audit(1119394938.615:7716405): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid=
12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=AVC msg=audit(1119394938.615:7716405): avc:  denied  { read write } for  pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163354 scontext=root:system_r:cyrus_t t
context=root:object_r:var_spool_t tclass=file
type=PATH msg=audit(1119394938.617:7716426): item=0 name="/var/spool/imap/d/user/duncan/Archive/Friends/cyrus.header" inode=163357 dev=fd:00 mode=0100600 ouid=76 ogid=12 r
dev=00:00


Expected Results:  Cyrus should still work with selinux enforcement enabled.

Additional info:

I have tried to update the patch submitted by Fritz Elfert against bug #123293 (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=100484), but so far without success.  I need an selinux expert.
Comment 1 Daniel Walsh 2005-06-26 07:41:51 EDT
Fixed in selinux-policy-targeted-1.23.18-17
Comment 2 Cushing Whitney 2005-07-02 20:29:39 EDT
selinux-policy-targeted-1.23.18-17 still doesn't fix the socket opening issue,
at least on my machine. When imapd is started, the following appears in the
audit log:

type=AVC msg=audit(1120348716.353:6576738): avc:  denied  { name_bind } for 
pid=7719 comm="cyrus-master" src=143 scontext=root:system_r:cyrus_t
tcontext=system_u:object_r:pop_port_t tclass=tcp_socket

I think login.te needs something along the lines of:

allow cyrus_t pop_port_t:tcp_socket name_bind;

Comment 3 Patrick Chase 2005-07-04 21:05:26 EDT
The problem here is an error in policy/domains/programs/cyrus.te

At line 29 (in version 1.23.18-17) access to pop_port_t for cyrus_t is made
dependent on use_pop, which is undefined. Simply deleting the offending ifdef()
clause and reloading fixed the issue for me.
Comment 4 Daniel Walsh 2005-07-05 07:04:09 EDT
Fixed in selinux-policy-targeted-1.24-3
Comment 5 Jeff Carlson 2005-07-13 18:00:37 EDT
Sorry Dan, it still does not appear fixed.  I have
selinux-policy-targeted-1.25.1-7, did a make relabel and rebooted twice, and I
still get an error when trying to create a mailbox.  Here is what I get in my
audit log:

type=AVC msg=audit(1121287291.593:456000): avc:  denied  { search } for 
pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497
scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir
type=SYSCALL msg=audit(1121287291.593:456000): arch=40000003 syscall=39
success=no exit=-13 a0=bfbb4249 a1=1ed a2=8150454 a3=bfbb4258 items=1 pid=2306
auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12
comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=PATH msg=audit(1121287291.593:456000): item=0 name="/var/spool/imap"
inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1121287291.597:456001): avc:  denied  { search } for 
pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497
scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir
type=SYSCALL msg=audit(1121287291.597:456001): arch=40000003 syscall=195
success=no exit=-13 a0=bfbb4249 a1=bfbb1d7c a2=505ff4 a3=bfbb1d7c items=1
pid=2306 auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12
fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd"
type=PATH msg=audit(1121287291.597:456001): item=0 name="/var/spool/imap"
inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00

I'll also note that /usr/lib/cyrus-imapd/mkimap did make the "stage." directory,
but did not make the "user" directory.  I manually created it myself.
Comment 6 Patrick Chase 2005-07-24 18:43:33 EDT
Created attachment 117113 [details]
Working cyrus.te
Comment 7 Daniel Walsh 2005-07-25 09:22:26 EDT
Added in selinux-policy-targeted-1.25.3-5

Thanks for the fix
Comment 8 Patrick Chase 2005-08-17 00:08:19 EDT
Hi Daniel;

You've got a typo. This line:

ifdef(`saslaudthd.te', `

Should be:

ifdef(`saslauthd.te', `

Needless to say, authentication doesn't work too well with the broken version.

Rgds,

Patrick


Note You need to log in before you can comment on or make changes to this bug.