Bug 1471397

Summary: SELinux denies Radicale from using IMAP authentication
Product: [Fedora] Fedora Reporter: Michael Cronenworth <mike>
Component: radicaleAssignee: Juan Orti <jorti>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: dominick.grift, dwalsh, jorti, lvrabec, mgrepl, opensource, pb, plautrba, pmoore, ssekidde
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: radicale-1.1.6-2.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-02 21:22:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Cronenworth 2017-07-15 15:51:35 UTC 
SELinux is preventing radicale from name_connect access on the tcp_socket port 143.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that radicale should be allowed name_connect access on the port 143 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp


Additional Information:
Source Context                system_u:system_r:radicale_t:s0
Target Context                system_u:object_r:pop_port_t:s0
Target Objects                port 143 [ tcp_socket ]
Source                        radicale
Source Path                   radicale
Port                          143
Host                          balthasar.cchtml.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.18.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     balthasar.cchtml.com
Platform                      Linux balthasar.cchtml.com 4.11.9-200.fc25.x86_64
                              #1 SMP Wed Jul 5 18:19:05 UTC 2017 x86_64 x86_64
Alert Count                   2573
First Seen                    2016-06-02 17:05:25 CDT
Last Seen                     2017-07-15 08:45:50 CDT
Local ID                      6c0ed17d-1e88-481a-b88a-840a66388593

Raw Audit Messages
type=AVC msg=audit(1500126350.851:145): avc:  denied  { name_connect } for  pid=2072 comm="radicale" dest=143 scontext=system_u:system_r:radicale_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=1


Hash: radicale,radicale_t,pop_port_t,tcp_socket,name_connect
Comment 1 Michael Cronenworth 2017-11-09 22:28:19 UTC 
This is still an issue.

selinux-policy-3.13.1-260.13.fc26.noarch

Here is my .te file that allows it.
-----

module my-radicale 1.0;

require {
	type pop_port_t;
	type radicale_t;
	class tcp_socket name_connect;
}

#============= radicale_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow radicale_t pop_port_t:tcp_socket name_connect;
Comment 2 Lukas Vrabec 2017-11-16 12:41:09 UTC 
Radicale is not part of distribution policy. Do you know which package provides this policy? 

Lukas.
Comment 3 Michael Cronenworth 2017-11-16 14:29:27 UTC 
Indeed. Sorry for the noise. Radicale ships its own policy files.
Comment 4 Fedora Update System 2017-11-21 18:28:46 UTC 
radicale-2.1.8-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-43da2d8328
Comment 5 Fedora Update System 2017-11-21 18:38:59 UTC 
radicale-1.1.6-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-27a140d38e
Comment 6 Fedora Update System 2017-11-22 17:52:54 UTC 
radicale-1.1.6-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8990067d8d
Comment 7 Fedora Update System 2017-11-22 21:39:08 UTC 
radicale-2.1.8-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-43da2d8328
Comment 8 Fedora Update System 2017-11-25 01:32:25 UTC 
radicale-1.1.6-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-27a140d38e
Comment 9 Fedora Update System 2017-11-30 15:40:16 UTC 
radicale-2.1.8-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2017-12-02 21:22:19 UTC 
radicale-1.1.6-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.