Bug 504805 - selinux is denying cyrus-master from binding the mupdate port
selinux is denying cyrus-master from binding the mupdate port
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-09 10:52 EDT by Karel Volný
Modified: 2012-10-15 10:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-02 04:00:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2009-06-09 10:52:14 EDT
Description of problem:
I am trying to reproduce a cyrus-imapd bug involving mupdate usage. However, I cannot get mupdate working with selinux enabled, because it denies cyrus-master to bind the mupdate port (both in master and client mupdate configuration).

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-243.el5

How reproducible:
always

Steps to Reproduce:
1. create mupdate enabled cyrus-imapd configuration
(i.e. add "mupdate       cmd="mupdate -m" listen=3905 prefork=1" to "SERVICES" section in /etc/cyrus.conf to run in master mode, or create appropriate configuration in /etc/imapd.conf)
2. service cyrus-imapd start
3. grep cyrus /var/log/audit/audit.log | grep denied
4. grep denied /var/log/maillog

Actual results:
type=AVC msg=audit(1244558374.392:80): avc:  denied  { name_bind } for  pid=4515 comm="cyrus-master" src=3905 scontext=root:system_r:cyrus_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

Jun  9 10:39:34 dell-pesc430-01 master[4515]: unable to create mupdate listener socket: Permission denied


Expected results:
(no errors reported, server listening on the appropriate port)

Additional info:
note that although 3905 is standard value, the port number may be reconfigured
Comment 1 Daniel Walsh 2009-06-10 14:34:18 EDT
You can add port using 

semanage port -a -t mail_port_t -p tcp 3905

But is mupdate something I should have defined as a mail_port?  Or should I define its own port?  Any other programs need to use it?
Comment 6 Daniel Walsh 2009-06-19 07:03:58 EDT
In cyrus policy it looks like the mail_port is defined as 2000, so I will add this port to the policy.
Comment 7 Daniel Walsh 2009-06-19 11:06:08 EDT
Fixed in selinux-policy-2.4.6-248.el5
Comment 14 errata-xmlrpc 2009-09-02 04:00:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html

Note You need to log in before you can comment on or make changes to this bug.