Bug 1221587
Summary: | Prosody SELinux policy | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Laurent Wandrebeck <l.wandrebeck> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.1 | CC: | baptiste.peugnez, g.fhnrunznrqeqf, lvrabec, l.wandrebeck, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-32.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-11-19 10:33:59 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Prosody must be able to handle its log files in /var/log/prosody/*, prosody might connect to PostgreSQL or MySQL via unix socket or TCP. I see dac_override. So it means we have a different process vs. log_file owner. Prosody process should run as user "prosody", directory /var/log/prosody/ should be prosody:prosody, same for log files. Laurent, can you cross-check your setup, please? Miroslav: Prosody drops its privileges itself - could that cause the issue, if it already writes a log line before? [root@bla ~]# ps aux | grep prosody prosody 15000 0.0 0.0 115260 6972 ? S 20:16 0:00 lua /usr/lib64/prosody/../../bin/prosody [root@minicloud ~]# ll /var/log/ drwxr-x---. 2 prosody prosody 4096 May 24 09:04 prosody (In reply to Robert Scheck from comment #4) > Prosody process should run as user "prosody", directory /var/log/prosody/ > should be prosody:prosody, same for log files. Laurent, can you cross-check > your setup, please? > > Miroslav: Prosody drops its privileges itself - could that cause the issue, > if it already writes a log line before? Yes. In this case, we need to add dac_override. commit 37b15993bcdc846afb030bbb8c0fcc19b64a1c61 Author: Lukas Vrabec <lvrabec> Date: Thu Jul 2 13:28:44 2015 +0200 Allow prosody connect to postgresql port. Allow prosody create prosody_log_t dirs/files. Allow prosody dac_override cap. Added fixes to F22. I'll add fixes also to RHEL7.2 Awesome. Is there already a 7.2 tree that a Red Hat partner is able to access to test the whole combination (not just the policy) with Prosody? commit 3b8100ace47fa4e326b79b5e0fa24e68f6d643bc Author: Lukas Vrabec <lvrabec> Date: Thu Jul 2 13:34:56 2015 +0200 Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Created attachment 1025363 [details] grep denied /var/log/audit/audit.log Description of problem: Several avc:denied when running Prosody 0.9.8-1.el7 from epel-testing Version-Release number of selected component (if applicable): Prosody 0.9.8-1.el7 selinux-policy 3.13.1-23.el7_1.7 (running CentOS 7-1503 fully up to date). How reproducible: (configure the service) systemctl start prosody Steps to Reproduce: 1. yum install prosody --enablerepo=epel-testing 2. (configure the service - running with PostgreSQL as a backend here) 3. systemctl start prosody Actual results: SELinux prevents certains operations to get prosody running. Expected results: SELinux let Prosody runs normally. Additional info: .te file coming from audit2allow module myprosody 1.0; require { type var_log_t; type postgresql_port_t; type prosody_t; class capability { dac_read_search dac_override }; class tcp_socket name_connect; class file { read create open }; class dir { write add_name }; } #============= prosody_t ============== allow prosody_t postgresql_port_t:tcp_socket name_connect; allow prosody_t self:capability { dac_read_search dac_override }; allow prosody_t var_log_t:dir { write add_name }; allow prosody_t var_log_t:file { read create open }; Please note that fw is still closed for Prosody, so additionnal rules may be necessary once server goes to prod.