-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0
-
None
-
selinux-policy-38.1.30-1.el9
-
None
-
None
-
rhel-sst-security-selinux
-
ssg_security
-
20
-
None
-
QE ack
-
False
-
-
No
-
Red Hat Enterprise Linux
-
None
-
Release Note Not Required
-
All
-
None
TL;DR: please apply the RHEL8 RHBA-2023:7091 fix to RHEL9.
RHBA-2023:7091 corrected the issue I reported in BZ#2165752 (where SELinux prevents sendmail from delivering mail to Cyrus on RHEL8), by granting sendmail_t certain permissions on cyrus_var_run_t files, in addition to the permissions it already had for cyrus_var_lib_t files:
$ rpm -q selinux-policy-targeted; sesearch --allow --source sendmail_t | grep cyrus
selinux-policy-targeted-3.14.3-128.el8.noarch
allow sendmail_t cyrus_t:unix_stream_socket connectto;
allow sendmail_t cyrus_var_lib_t:dir { getattr open search };
allow sendmail_t cyrus_var_lib_t:sock_file { append getattr open write };
allow sendmail_t cyrus_var_run_t:dir { getattr open search };
allow sendmail_t cyrus_var_run_t:sock_file { append getattr open write };
But this same fix did not make it into the RHEL9 selinux-policy package:
$ rpm -q selinux-policy-targeted; sesearch --allow --source sendmail_t | grep cyrus
selinux-policy-targeted-38.1.23-1.el9.noarch
allow sendmail_t cyrus_t:unix_stream_socket connectto;
allow sendmail_t cyrus_var_lib_t:dir { getattr open search };
allow sendmail_t cyrus_var_lib_t:sock_file { append getattr open write };
Like RHEL8, the RHEL9 cyrus-imapd places its sockets in /run/cyrus/socket (which is cyrus_var_run_t instead of /var/lib/imap/socket (which is cyrus_var_lib_t), so the RHEL9 selinux-policy package needs the cyrus_var_run_t rules that the RHEL8 selinux-policy package does.
So, please apply the RHEL8 RHBA-2023:7091 fix to RHEL9.
- links to
-
RHBA-2023:121166
selinux-policy bug fix and enhancement update