Bug 1208298
| Summary: | After updating to EL 7.1 roundcube package won't work with selinux enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Dowdle <dowdle> |
| Component: | selinux-policy | Assignee: | Simon Sekidde <ssekidde> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.1 | CC: | christoph.wickert, dowdle, fedora, gbailey, gwync, lvrabec, mgrepl, mhlavink, mmalik, orion, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-25.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:30:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Here's what it shows in the /var/log/audit.log
type=AVC msg=audit(1427924537.536:1669): avc: denied { write } for pid=2397 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1427924538.825:1670): avc: denied { write } for pid=2397 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1427924549.478:1671): avc: denied { write } for pid=2396 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
To fix it I had to run the two following commands recommended by sealert semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/roundcubemail/sqlite.db' restorecon -v '/var/lib/roundcubemail/sqlite.db' randomuser in IRC suggested the following probably would have worked: restorecon -R /var/lib/roundcubemail/ Having already fixed it the way I did, I can't verify that... and I'm not going to break it in some way to test it. :) If that is true, that means that an update to the roundcubemail package isn't needed... and that a clean install where a fresh sqlite.db file is created will probably work without issue. That is to say that our guess is that the SELinux policy changed and just refreshing the context of my pre-existing file might have fixed it. Anyway... It seems there are other files kept there as well:
type=AVC msg=audit(1427977409.112:3854626): avc: denied { unlink } for pid=11532 comm="httpd" name="453f2473e97e0ad0f2e69d1736e920f4.octet-stream" dev="sda1" ino=268428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1427977409.112:3854627): avc: denied { unlink } for pid=11532 comm="httpd" name="c1fcbed2b440847f48f2ce7275e85944.png" dev="sda1" ino=268586 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
ls -lZa /var/lib/roundcubemail/
drwxrwxr-x. root apache system_u:object_r:var_lib_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ..
-rw-------. apache apache system_u:object_r:var_lib_t:s0 12d7a93b29427fc530a3986a2ac9e5ea.jpeg
-rw-------. apache apache system_u:object_r:var_lib_t:s0 15269169bba300541a7fdc68a45825b6.png
....
restorecon resets to var_lib_t, so that doesn't work. I think you want:
semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/roundcubemail(/.*)?'
restorecon -r /var/lib/roundcubemail
Could you attach the list SELinux denials which appear in enforcing mode? Could you re-run your scenario in permissive mode and collect the denials as well? # ausearch -m avc -m user_avc -m selinux_err -i -ts today I'm not getting any errors. The ausearch recommended in comment 6 shows nothing and that is with selinux in enforcing mode. So, to the best of my knowledge, it isn't broken anymore and there isn't any data to gather. I'm not able to reproduce this very well. I do note that when you attach a file to an email in roundcube mail it creates a file in /var/lib/roundcubemail with context httpd_var_lib_t. Perhaps something is coming along later and relabelling some files back to var_lib_t? It happens automatically. # matchpathcon /var/lib/roundcubemail /var/lib/roundcubemail system_u:object_r:var_lib_t:s0 # Following rule says: if a process running as httpd_t creates a file or a directory under /var/lib/roundcubemail directory then the new object gets httpd_var_lib_t label. # sesearch -s httpd_t -t var_lib_t -T Found 2 semantic te rules: type_transition httpd_t var_lib_t : file httpd_var_lib_t; type_transition httpd_t var_lib_t : dir httpd_var_lib_t; # Right, but I was wondering what had set the labels on the file back to var_lib_t? Anything in an update? My running restorecon -r /var at some point? At that point then it seems that roundcubemail cannot delete the files. Not sure how Scott's sqlite.db file ended up as httpd_sys_content_t. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
roundcubemail was working until I upgraded my host from CentOS 7-1503 (7.1). I get an authentication error... until I turn off SELinux and then it works. Here's the error I get in /var/log/roundcubemail/errors when selinux is in enforcing mode: [01-Apr-2015 15:23:51 -0600]: <d3m7ppi4> DB Error: [8] attempt to write a readonly database (SQL Query: DELETE FROM "session" WHERE "sess_id" = 'd3m7ppi4t9vtuofs4dd8ina6j0') in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login) [01-Apr-2015 15:23:52 -0600]: <d3m7ppi4> DB Error: [8] attempt to write a readonly database (SQL Query: UPDATE "users" SET "last_login" = datetime('now') WHERE "user_id" = '1') in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login) [01-Apr-2015 15:23:52 -0600]: <l9pucoa9> DB Error: [8] attempt to write a readonly database (SQL Query: INSERT INTO "session" ("sess_id", "vars", "ip", "created", "changed") VALUES ('l9pucoa9fbjobe5fivcvg6c1u1', 'bGFuZ3VhZ2V8czo1OiJlbl9VUyI7c2tpbnxzOjU6ImxhcnJ5IjtpbWFwX25hbWVzcGFjZXxhOjQ6e3M6ODoicGVyc29uYWwiO2E6MTp7aTowO2E6Mjp7aTowO3M6MDoiIjtpOjE7czoxOiIvIjt9fXM6NToib3RoZXIiO047czo2OiJzaGFyZWQiO047czo2OiJwcmVmaXgiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjt1c2VyX2lkfHM6MToiMSI7dXNlcm5hbWV8czo3OiJzZG93ZGxlIjtzdG9yYWdlX2hvc3R8czoxOToiZXN1cy5jcy5tb250YW5hLmVkdSI7c3RvcmFnZV9wb3J0fGk6OTkzO3N0b3JhZ2Vfc3NsfHM6Mzoic3NsIjtwYXNzd29yZHxzOjMyOiI0eWNPNUJLbUFtQVRDbUMvOGVDcnplR2FXVWNDTlYwaSI7bG9naW5fdGltZXxpOjE0Mjc5MjM0MzI7dGltZXpvbmV8czoxNDoiQW1lcmljYS9EZW52ZXIiO1NUT1JBR0VfU1BFQ0lBTC1VU0V8YjowOw==', '153.90.195.54', datetime('now'), datetime('now'))) in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login) [01-Apr-2015 15:23:52 -0600]: <l9pucoa9> DB Error: [8] attempt to write a readonly database (SQL Query: INSERT INTO "session" ("sess_id", "vars", "ip", "created", "changed") VALUES ('l9pucoa9fbjobe5fivcvg6c1u1', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=', '153.90.195.54', datetime('now'), datetime('now'))) in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (GET /mail/?_task=mail) Basically it can't write to the database file... which I think is /var/lib/roundcubemail/sqlite.db If I put selinux in permissive mode then it works. Perhaps there is an sebool for it but if so, I haven't figured out which one. here's what "getsebool -a | grep httpd" shows: httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> on httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> on httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> on httpd_use_openstack --> off httpd_use_sasl --> on httpd_verify_dns --> off I've configured roundcubemail to authenticating via imap to another machine on the same LAN.