From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 Description of problem: cyrus doesn't seem to get all the permissions it needs when selinux is set to "enforcing" mode with the default targetted policy. In particular, /var/spool/imap is inaccessible to the daemon, and it is unable to bind to the imap(s) sockets. Version-Release number of selected component (if applicable): selinux-policy-targeted(-sources)-1.23.18-12 How reproducible: Always Steps to Reproduce: 1. Install cyrus, and configure it. 2. setenforce 1 3. service cyrus-imapd start Actual Results: /var/log/maillog contains things like master[18294]: unable to create imap listener socket: Permission denied master[18294]: unable to create imaps listener socket: Permission denied and imap[11585]: IOERROR: creating directory /var/spool/imap: Permission denied cyradm is unable to create mailboxes. IMAP clients are unable to connect. If cyrus was already running when enforcement was turned on, IMAP operations that previously worked (open, create mailbox folders) fail due to "system I/O error" or less well-described errors. /var/log/maillog contains things like imap[18433]: IOERROR: opening /var/spool/imap/d/user/duncan/Archive/Lists/ACPI/cyrus.header: Permission denied and /var/log/audit/audit.log contains things like type=PATH msg=audit(1119394938.613:7716384): item=0 name="/var/spool/imap/d/user/duncan/Archive/cyrus.header" inode=163340 dev=fd:00 mode=0100600 ouid=76 ogid=12 rdev=00:0 0 type=SYSCALL msg=audit(1119394938.613:7716384): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid= 12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=AVC msg=audit(1119394938.613:7716384): avc: denied { read write } for pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163340 scontext=root:system_r:cyrus_t t context=root:object_r:var_spool_t tclass=file type=PATH msg=audit(1119394938.615:7716405): item=0 name="/var/spool/imap/d/user/duncan/Archive/Family/cyrus.header" inode=163354 dev=fd:00 mode=0100600 ouid=76 ogid=12 rd ev=00:00 type=SYSCALL msg=audit(1119394938.615:7716405): arch=40000003 syscall=5 success=no exit=-13 a0=bfcb9283 a1=2 a2=0 a3=bfcba36c items=1 pid=18433 auid=4294967295 uid=76 gid= 12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=AVC msg=audit(1119394938.615:7716405): avc: denied { read write } for pid=18433 comm="imapd" name=cyrus.header dev=dm-0 ino=163354 scontext=root:system_r:cyrus_t t context=root:object_r:var_spool_t tclass=file type=PATH msg=audit(1119394938.617:7716426): item=0 name="/var/spool/imap/d/user/duncan/Archive/Friends/cyrus.header" inode=163357 dev=fd:00 mode=0100600 ouid=76 ogid=12 r dev=00:00 Expected Results: Cyrus should still work with selinux enforcement enabled. Additional info: I have tried to update the patch submitted by Fritz Elfert against bug #123293 (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=100484), but so far without success. I need an selinux expert.
Fixed in selinux-policy-targeted-1.23.18-17
selinux-policy-targeted-1.23.18-17 still doesn't fix the socket opening issue, at least on my machine. When imapd is started, the following appears in the audit log: type=AVC msg=audit(1120348716.353:6576738): avc: denied { name_bind } for pid=7719 comm="cyrus-master" src=143 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:pop_port_t tclass=tcp_socket I think login.te needs something along the lines of: allow cyrus_t pop_port_t:tcp_socket name_bind;
The problem here is an error in policy/domains/programs/cyrus.te At line 29 (in version 1.23.18-17) access to pop_port_t for cyrus_t is made dependent on use_pop, which is undefined. Simply deleting the offending ifdef() clause and reloading fixed the issue for me.
Fixed in selinux-policy-targeted-1.24-3
Sorry Dan, it still does not appear fixed. I have selinux-policy-targeted-1.25.1-7, did a make relabel and rebooted twice, and I still get an error when trying to create a mailbox. Here is what I get in my audit log: type=AVC msg=audit(1121287291.593:456000): avc: denied { search } for pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir type=SYSCALL msg=audit(1121287291.593:456000): arch=40000003 syscall=39 success=no exit=-13 a0=bfbb4249 a1=1ed a2=8150454 a3=bfbb4258 items=1 pid=2306 auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=PATH msg=audit(1121287291.593:456000): item=0 name="/var/spool/imap" inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1121287291.597:456001): avc: denied { search } for pid=2306 comm="imapd" name=spool dev=hda10 ino=1178497 scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_spool_t tclass=dir type=SYSCALL msg=audit(1121287291.597:456001): arch=40000003 syscall=195 success=no exit=-13 a0=bfbb4249 a1=bfbb1d7c a2=505ff4 a3=bfbb1d7c items=1 pid=2306 auid=4294967295 uid=76 gid=12 euid=76 suid=76 fsuid=76 egid=12 sgid=12 fsgid=12 comm="imapd" exe="/usr/lib/cyrus-imapd/imapd" type=PATH msg=audit(1121287291.597:456001): item=0 name="/var/spool/imap" inode=1178497 dev=03:0a mode=040755 ouid=0 ogid=0 rdev=00:00 I'll also note that /usr/lib/cyrus-imapd/mkimap did make the "stage." directory, but did not make the "user" directory. I manually created it myself.
Created attachment 117113 [details] Working cyrus.te
Added in selinux-policy-targeted-1.25.3-5 Thanks for the fix
Hi Daniel; You've got a typo. This line: ifdef(`saslaudthd.te', ` Should be: ifdef(`saslauthd.te', ` Needless to say, authentication doesn't work too well with the broken version. Rgds, Patrick