Hide Forgot
Description of problem: when configuring the following mail chain: postfix=>procmail=>cyrus-imap, selinux prevents procmail from executing cyrus-deliver. The access is denied and no log appears even using audit2allow. Switching to permissive works Version-Release number of selected component (if applicable): selinux-policy-3.10.0-67.fc16.noarch selinux-policy-targeted-3.10.0-67.fc16.noarch libselinux-2.1.6-5.fc16.i686 libselinux-python-2.1.6-5.fc16.i686 libselinux-utils-2.1.6-5.fc16.i686 postfix-2.8.7-1.fc16.i686 procmail-3.22-27.fc16.i686 cyrus-imapd-2.4.12-2.fc16.i686 Postifx is configured to hand over the mail to procmail: #extract from /etc/postfix/main.cf mailbox_command = /usr/bin/procmail -a "$EXTENSION" mailbox_transport = procmail #extract /etc/postfix/master.cf procmail unix - n n - 20 pipe flags=R user=cyrus argv=/usr/bin/procmail -o SENDER=${sender} -m USER=${user} EXTENSION=${extension} /etc/procmailrc procmail is there to filter out the spam and deliver the mail to cyrus: #cat /etc/procmailrc LOGFILE="/tmp/procmail" VERBOSE=yes :0 fw | /usr/bin/spamc -u $USER -d 127.0.0.1 -p 783 :0: * ^X-Spam-Status: Yes /var/spool/mail/spam :0w | /usr/lib/cyrus-imapd/deliver -e -a $USER -m user.$USER cyrus-imapd is configured to listen for new mail on the following socket #extract from cyrus.conf lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1 How reproducible: As soon as setenforce is 1 the procmail log says #cat /tmp/procmail couldn't connect to lmtpd: Permission denied procmail: Program failure (75) of "/usr/lib/cyrus-imapd/deliver" Subject: De Folder: /var/spool/mail/cyrus 747 and mail is not delivered to the intended recipient. SELINUX is not logging any failure (so I cannot tune the conf using a local module): #audit2allow -l -a -m local module local 1.0; **If I setenforce to 0, the everything works** How can I convince selinux that procmail is allowed to talk to /var/lib/imap/socket/lmtp ? Additional Infos: #ll-Z /var/lib/imap/socket/lmtp srwxrwxrwx. root root system_u:object_r:cyrus_var_lib_t:s0 /var/lib/imap/socket/lmtp #ps -efZ | grep cyrus system_u:system_r:cyrus_t:s0 cyrus ... #ps -efZ |grep postfix ps -efZ |grep postfix system_u:system_r:postfix_master_t:s0 root ... /usr/libexec/postfix/master system_u:system_r:postfix_qmgr_t:s0 postfix ... qmgr -l -t fifo -u system_u:system_r:postfix_pickup_t:s0 postfix ... pickup -l -t fifo -u
See if there are AVC messages in /var/log/message Did you update from F15 to F16?
Yes, there are avc in /var/log/message, I really should have looked there before filling the bug! Sorry about that. Here they are Dec 28 21:23:49 jack kernel: [381943.896871] type=1400 audit(1325103829.862:13): avc: denied { write } for pid=15411 comm="deliver" name="lmtp" dev=dm-12 ino=2752831 scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:object_r:cyrus_var_lib_t:s0 tclass=sock_file Dec 28 21:23:49 jack kernel: [381943.896909] type=1400 audit(1325103829.862:14): avc: denied { connectto } for pid=15411 comm="deliver" path="/var/lib/imap/socket/lmtp" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:cyrus_t:s0 tclass=unix_stream_socket Why audit2allow did not catch the avc and propose a module to load? I used preupgrade to move from f15 to 16 (but I don't remember if I relabelled the whole fs). Anyway, cyrus-imap is a fresh install from last week.
I created a local module to upgrade my policy so that procmail can talk to cyrus. here is the module audit2allow create from the logs: #cat local.te module local 1.0; require { type cyrus_t; type cyrus_var_lib_t; type procmail_t; class sock_file write; class unix_stream_socket connectto; } #============= procmail_t ============== allow procmail_t cyrus_t:unix_stream_socket connectto; allow procmail_t cyrus_var_lib_t:sock_file write; I inserted it using the following commands: checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod semodule -i local.pp The avc are gone, but I still get a permission denied: Jan 1 18:04:09 jack deliver[24809]: connect(/var/lib/imap/socket/lmtp) failed: Permission denied setenforce 0 makes it work, so this is definitively related. I noticed also that the logs are talking about a socket whose label is cyrus_t, Dec 28 21:23:49 jack kernel: [381943.896909] type=1400 audit(1325103829.862:14): denied { connectto } for pid=15411 comm="deliver" path="/var/lib/imap/socket/lmtp" scontext=system_u:system_r:procmail_t:s0 tcontext=system_u:system_r:cyrus_t:s0 tclass=unix_stream_socket but ll -Z /var/lib/imap/socket/lmtp says cyrus_var_lib_t
Fixed in selinux-policy-3.10.0-70.fc16
I would be glad to test the selinux-policy-3.10.0-70.fc16 package, but could not find it neither in updates-testings nor koji. There is though a selinux-policy-3.10.0-70.fc17 and even a selinux-policy-3.10.0-71.fc17 in koji. What is the danger of installing it on my system (used for home production)?
I am going to build it today. I mean F16 build. F17 build won't work on your F16 machine.
I tested the selinux-policy-3.10.0-71.fc16 from koji. I confirm it corrects the issue. For the record I did: remove my local customization #semodule -r local install the packages #yum install selinux-policy-3.10.0-70.fc16.noarch.rpm selinux-policy-targeted-3.10.0-70.fc16.noarch.rpm reload cyrus #systemctl stop cyrus-imapd.service #systemctl start cyrus-imapd.service and test mail delivery As far as I am concerned, it's CLOSED - RESOLVED Kudos to the selinux-policy team!
selinux-policy-3.10.0-71.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-71.fc16
selinux-policy-3.10.0-71.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.