Bug 1221587

Summary: Prosody SELinux policy
Product: Red Hat Enterprise Linux 7 Reporter: Laurent Wandrebeck <l.wandrebeck>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: baptiste.peugnez, g.fhnrunznrqeqf, lvrabec, l.wandrebeck, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-32.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:33:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
grep denied /var/log/audit/audit.log none

Description Laurent Wandrebeck 2015-05-14 12:08:40 UTC 
Created attachment 1025363 [details]
grep denied /var/log/audit/audit.log

Description of problem:

Several avc:denied when running Prosody 0.9.8-1.el7 from epel-testing

Version-Release number of selected component (if applicable):

Prosody 0.9.8-1.el7
selinux-policy 3.13.1-23.el7_1.7

(running CentOS 7-1503 fully up to date).

How reproducible:


(configure the service)
systemctl start prosody

Steps to Reproduce:
1. yum install prosody --enablerepo=epel-testing
2. (configure the service - running with PostgreSQL as a backend here)
3. systemctl start prosody

Actual results:

SELinux prevents certains operations to get prosody running.

Expected results:

SELinux let Prosody runs normally.

Additional info:

.te file coming from audit2allow

module myprosody 1.0;

require {
	type var_log_t;
	type postgresql_port_t;
	type prosody_t;
	class capability { dac_read_search dac_override };
	class tcp_socket name_connect;
	class file { read create open };
	class dir { write add_name };
}

#============= prosody_t ==============
allow prosody_t postgresql_port_t:tcp_socket name_connect;

allow prosody_t self:capability { dac_read_search dac_override };

allow prosody_t var_log_t:dir { write add_name };

allow prosody_t var_log_t:file { read create open };

Please note that fw is still closed for Prosody, so additionnal rules may be necessary once server goes to prod.
Comment 2 Robert Scheck 2015-05-14 15:02:38 UTC 
Prosody must be able to handle its log files in /var/log/prosody/*,
prosody might connect to PostgreSQL or MySQL via unix socket or TCP.
Comment 3 Miroslav Grepl 2015-05-25 11:37:35 UTC 
I see dac_override. So it means we have a different process vs. log_file owner.
Comment 4 Robert Scheck 2015-05-25 13:30:44 UTC 
Prosody process should run as user "prosody", directory /var/log/prosody/
should be prosody:prosody, same for log files. Laurent, can you cross-check
your setup, please?

Miroslav: Prosody drops its privileges itself - could that cause the issue,
if it already writes a log line before?
Comment 5 Laurent Wandrebeck 2015-05-25 19:04:20 UTC 
[root@bla ~]# ps aux | grep prosody
prosody  15000  0.0  0.0 115260  6972 ?        S    20:16   0:00 lua /usr/lib64/prosody/../../bin/prosody

[root@minicloud ~]# ll /var/log/
drwxr-x---. 2 prosody   prosody          4096 May 24 09:04 prosody
Comment 6 Miroslav Grepl 2015-06-03 07:33:22 UTC 
(In reply to Robert Scheck from comment #4)
> Prosody process should run as user "prosody", directory /var/log/prosody/
> should be prosody:prosody, same for log files. Laurent, can you cross-check
> your setup, please?
> 
> Miroslav: Prosody drops its privileges itself - could that cause the issue,
> if it already writes a log line before?

Yes. In this case, we need to add dac_override.
Comment 7 Lukas Vrabec 2015-07-02 11:32:28 UTC 
commit 37b15993bcdc846afb030bbb8c0fcc19b64a1c61
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:28:44 2015 +0200

    Allow prosody connect to postgresql port.
    
    Allow prosody create prosody_log_t dirs/files.
    
    Allow prosody dac_override cap.

Added fixes to F22.
I'll add fixes also to RHEL7.2
Comment 8 Robert Scheck 2015-07-02 11:36:56 UTC 
Awesome. Is there already a 7.2 tree that a Red Hat partner is able to access
to test the whole combination (not just the policy) with Prosody?
Comment 9 Lukas Vrabec 2015-07-09 11:10:12 UTC 
commit 3b8100ace47fa4e326b79b5e0fa24e68f6d643bc
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:34:56 2015 +0200

    Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
Comment 13 errata-xmlrpc 2015-11-19 10:33:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html