Summary: SELinux is preventing /usr/lib/cyrus-imapd/cyrus-master from binding to port 4190. [NOTE: Port 4190 is the cyrus "sieve" service. - jik] Detailed Description: SELinux has denied the cyrus-master from binding to a network port 4190 which does not have an SELinux type associated with it. If cyrus-master should be allowed to listen on 4190, use the semanage command to assign 4190 to a port type that cyrus_t can bind to (pop_port_t, mail_port_t, lmtp_port_t). If cyrus-master is not supposed to bind to 4190, this could signal an intrusion attempt. Allowing Access: If you want to allow cyrus-master to bind to port 4190, you can execute # semanage port -a -t PORT_TYPE -p tcp 4190 where PORT_TYPE is one of the following: pop_port_t, mail_port_t, lmtp_port_t. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. Additional Information: Source Context unconfined_u:system_r:cyrus_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source cyrus-master Source Path /usr/lib/cyrus-imapd/cyrus-master Port 4190 Host (removed) Source RPM Packages cyrus-imapd-2.3.15-6.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-56.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name bind_ports Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 6 First Seen Thu 17 Dec 2009 08:07:21 PM EST Last Seen Thu 17 Dec 2009 08:14:12 PM EST Local ID 832a6d11-752f-427d-b941-650571dfe703 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1261098852.129:42030): avc: denied { name_bind } for pid=7545 comm="cyrus-master" src=4190 scontext=unconfined_u:system_r:cyrus_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1261098852.129:42030): arch=c000003e syscall=49 success=no exit=-13 a0=23 a1=7fbce075b4c0 a2=1c a3=7fff27d8701c items=0 ppid=1 pid=7545 auid=3009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="cyrus-master" exe="/usr/lib/cyrus-imapd/cyrus-master" subj=unconfined_u:system_r:cyrus_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-56.fc12,bind_ports,cyrus-master,cyrus_t,port_t,tcp_socket,name_bind audit2allow suggests: #============= cyrus_t ============== allow cyrus_t port_t:tcp_socket name_bind;
Why is cyrus listening on port 4090? Is this a local customization? If it is, then the sealert explains what to do.
As I noted in the bug submission, "[NOTE: Port 4190 is the cyrus "sieve" service. - jik]" This is not a local customization.
Thanks, I missed that. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-60.fc12.noarch
selinux-policy-3.6.32-63.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-63.fc12
selinux-policy-3.6.32-66.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-66.fc12
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0184
selinux-policy-3.6.32-63.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-66.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.