Cyrus-imapd & selinux
Daniel J Walsh
dwalsh at redhat.com
Thu Apr 15 14:43:08 UTC 2004
Roger Grosswiler wrote:
>Hello,
>
>i am not master of desaster of selinux, and i think its just a question of the policy.
>
>So, if you installed your cyrus-imapd, and did your config for config (via saslauthd/pam) it is impossible to login
>neither in cyrus itself or in cyradm. you get always the error-message, that you cannot login. It works fine, if
>selinux is disabled.
>
>Here my message-log for all interested.
>
>Of course i would like to learn more about linux, so i ask what this means and how i could change this in my policies
>- and e.g. - if this shall be changed also in de default policy.
>
>Thx
>Roger
>
>Apr 14 21:08:52 lneo kernel: audit(1081969732.601:0): avc: denied { getattr } for pid=3155
>exe=/usr/lib/cyrus-imapd/cyrus-master
>path=/var/run/winbindd/pipe dev=hda3 ino=530650
>scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_run_t tclass=sock_file
>Apr 14 21:08:52 lneo kernel: audit(1081969732.906:0): avc: denied { getattr } for pid=3152
>exe=/usr/lib/cyrus-imapd/cyrus-master
>path=/var/run/winbindd/pipe dev=hda3 ino=530650
>scontext=root:system_r:cyrus_t tcontext=system_u:object_r:var_run_t tclass=sock_file
>Apr 14 21:09:09 lneo kernel: audit(1081969749.496:0): avc: denied { write } for pid=3162
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>Apr 14 21:09:42 lneo kernel: audit(1081969782.548:0): avc: denied { write } for pid=3173
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>Apr 14 21:10:01 lneo kernel: audit(1081969801.034:0): avc: denied { write } for pid=3174
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>Apr 14 21:10:34 lneo kernel: audit(1081969834.466:0): avc: denied { write } for pid=3175
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>Apr 14 21:13:55 lneo kernel: audit(1081970035.975:0): avc: denied { write } for pid=3176
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>Apr 14 21:14:30 lneo kernel: audit(1081970070.964:0): avc: denied { write } for pid=3180
>exe=/usr/lib/cyrus-imapd/imapd name=mux dev=hda3 ino=182930 scontext=root:system_r:cyrus_t
>tcontext=root:object_r:var_run_t tclass=sock_file
>
>
>
>
>
>
If you add the following line to cyrus.te and rebuild policy does the
problem go away
file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
--- policy-1.11.2/domains/program/unused/cyrus.te.20040415 2004-04-13
19:56:28.000000000 -0400
+++ policy-1.11.2/domains/program/unused/cyrus.te 2004-04-15
10:37:22.660861424 -0400
@@ -9,6 +9,8 @@
role cyrus_r types cyrus_t;
general_domain_access(cyrus_t)
+file_type_auto_trans(cyrus_t, var_run_t, cyrus_var_run_t, sock_file)
+
type cyrus_var_lib_t, file_type, sysadmfile;
allow cyrus_t self:capability { dac_override net_bind_service setgid
setuid sys_resource };
More information about the fedora-test-list
mailing list