Bug 504805 - selinux is denying cyrus-master from binding the mupdate port
selinux is denying cyrus-master from binding the mupdate port
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2009-06-09 10:52 EDT by Karel Volný
Modified: 2012-10-15 10:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-02 04:00:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2009-06-09 10:52:14 EDT
Description of problem:
I am trying to reproduce a cyrus-imapd bug involving mupdate usage. However, I cannot get mupdate working with selinux enabled, because it denies cyrus-master to bind the mupdate port (both in master and client mupdate configuration).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create mupdate enabled cyrus-imapd configuration
(i.e. add "mupdate       cmd="mupdate -m" listen=3905 prefork=1" to "SERVICES" section in /etc/cyrus.conf to run in master mode, or create appropriate configuration in /etc/imapd.conf)
2. service cyrus-imapd start
3. grep cyrus /var/log/audit/audit.log | grep denied
4. grep denied /var/log/maillog

Actual results:
type=AVC msg=audit(1244558374.392:80): avc:  denied  { name_bind } for  pid=4515 comm="cyrus-master" src=3905 scontext=root:system_r:cyrus_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Jun  9 10:39:34 dell-pesc430-01 master[4515]: unable to create mupdate listener socket: Permission denied

Expected results:
(no errors reported, server listening on the appropriate port)

Additional info:
note that although 3905 is standard value, the port number may be reconfigured
Comment 1 Daniel Walsh 2009-06-10 14:34:18 EDT
You can add port using 

semanage port -a -t mail_port_t -p tcp 3905

But is mupdate something I should have defined as a mail_port?  Or should I define its own port?  Any other programs need to use it?
Comment 6 Daniel Walsh 2009-06-19 07:03:58 EDT
In cyrus policy it looks like the mail_port is defined as 2000, so I will add this port to the policy.
Comment 7 Daniel Walsh 2009-06-19 11:06:08 EDT
Fixed in selinux-policy-2.4.6-248.el5
Comment 14 errata-xmlrpc 2009-09-02 04:00:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.