198014 – cyrus imapd triggers selinux denials

Bug 198014 - cyrus imapd triggers selinux denials

Summary: cyrus imapd triggers selinux denials

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-08 01:51 UTC by Kirk Smith
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Clone Of:
Environment:
Last Closed:	2007-03-28 20:04:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kirk Smith 2006-07-08 01:51:14 UTC

Under normal operation, selinux reports denial errors from cyrus imapd.

To eliminate all the errors, I installed the following policy:

----
module cyrus_local 1.0;

require {
        class netlink_route_socket { bind create getattr nlmsg_read read write };
        type cyrus_t;
        role system_r;
};

allow cyrus_t self:netlink_route_socket { bind create getattr nlmsg_read read
write };
----
I'm really not sure what the imapd program is doing here, but this makes it work
 better, without triggering selinux denials and apparently doing no additional
harm to the security of the system.

Kirk

Comment 1 Daniel Walsh 2006-07-11 14:22:22 UTC

Fixed in selinux-policy-2.3.2-2

Comment 2 Daniel Walsh 2007-03-28 20:04:31 UTC

Closing bugs

Note You need to log in before you can comment on or make changes to this bug.