Bug 574788

Summary: Zarafa needs a SELinux treatment to work (currently works only in the permissive mode)
Product: [Fedora] Fedora Reporter: Tim Hughes <thughes>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: david, dgunchev, dominick.grift, dwalsh, dwmw2, mcepl, mcepl, mgrepl, pcfe, redhat-bugzilla, simonhandy, stsp1, vanmeeuwen+fedora, warlord
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:51c480719e17e6f8612add8e29cac913dbb73de6afef32397dc0649806675242
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 720462 720463 (view as bug list) Environment:
Last Closed: 2011-08-04 09:39:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 615722    
Bug Blocks: 720462, 720463    
Attachments:
Description Flags
output of ausearch -m AVC -ts today
none
/var/log/audit/audit.log
none
complete SELinux policy
none
output of ausearch -m AVC -ts today|audit2allow
none
output of ausearch -m AVC -ts yesterday none

Description Tim Hughes 2010-03-18 14:54:37 UTC 
Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
zarafa.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the httpd access to potentially mislabeled files zarafa. This
means that SELinux will not allow httpd to use these files. If httpd should be
allowed this access to these files you should change the file context to one of
the following types, mysqld_db_t, mysqld_var_run_t, httpd_var_run_t,
nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t,
system_dbusd_var_run_t, postgresql_var_run_t, postgresql_tmp_t,
winbind_var_run_t, devlog_t, setrans_var_run_t, httpd_tmpfs_t, avahi_var_run_t,
httpd_squid_content_rw_t, nscd_var_run_t, pcscd_var_run_t,
httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t,
httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t,
httpd_user_content_rw_t, httpd_cobbler_content_rw_t, httpd_munin_content_rw_t,
httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t,
httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t.
Many third party apps install html files in directories that SELinux policy
cannot predict. These directories have to be labeled with a file context which
httpd can access.

Allowing Access:

If you want to change the file context of zarafa so that the httpd daemon can
access it, you need to execute it using semanage fcontext -a -t FILE_TYPE
'zarafa'.
where FILE_TYPE is one of the following: mysqld_db_t, mysqld_var_run_t,
httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t,
sssd_var_lib_t, system_dbusd_var_run_t, postgresql_var_run_t, postgresql_tmp_t,
winbind_var_run_t, devlog_t, setrans_var_run_t, httpd_tmpfs_t, avahi_var_run_t,
httpd_squid_content_rw_t, nscd_var_run_t, pcscd_var_run_t,
httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t,
httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t,
httpd_user_content_rw_t, httpd_cobbler_content_rw_t, httpd_munin_content_rw_t,
httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t,
httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t.
You can look at the httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_run_t:s0
Target Objects                zarafa [ sock_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.14-1.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-99.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32.9-70.fc12.i686.PAE #1 SMP
                              Wed Mar 3 04:57:21 UTC 2010 i686 i686
Alert Count                   7
First Seen                    Thu 18 Mar 2010 02:49:33 PM GMT
Last Seen                     Thu 18 Mar 2010 02:53:21 PM GMT
Local ID                      fda5fc72-06da-4cd5-ac4b-e188cfb36f98
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1268924001.709:94): avc:  denied  { write } for  pid=946 comm="httpd" name="zarafa" dev=dm-1 ino=35731 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

node=(removed) type=AVC msg=audit(1268924001.709:94): avc:  denied  { connectto } for  pid=946 comm="httpd" path="/var/run/zarafa" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

node=(removed) type=SYSCALL msg=audit(1268924001.709:94): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf818470 a2=449f018 a3=11 items=0 ppid=938 pid=946 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_bad_labels,httpd,httpd_t,var_run_t,sock_file,write
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;
Comment 1 Tim Hughes 2010-03-18 14:57:29 UTC 
http://fedoraproject.org/wiki/Features/Zarafa#How_To_Test


I just installed using those instructions (but on fedora 12)  and then tried to log in via the web interface. 

It displayed a red message saying 'Could not contact Zarafa server'

I then turned selinux off using 

setenforce 0

and then i could log in
Comment 2 Daniel Walsh 2010-03-18 15:46:00 UTC 
Miroslav, can you write a policy for zarafa?
Comment 3 Miroslav Grepl 2010-03-18 17:06:30 UTC 
Yes. I have just started to write it.
Comment 4 Derek Atkins 2010-06-11 16:00:57 UTC 
I just hit this myself on FC12.  Any progress on a zarafa policy?
I'm getting the denial on /var/run/zarafa
Comment 5 Daniel Walsh 2010-06-16 21:04:08 UTC 
We just released zarafa policy in Rawhide.
Comment 6 Miroslav Grepl 2010-06-23 08:22:01 UTC 
(In reply to comment #4)
> I just hit this myself on FC12.  Any progress on a zarafa policy?
> I'm getting the denial on /var/run/zarafa    

Derek, Tim,
I can create local zarafa policy for testing in F12/F13 if you are interested.
Comment 7 Matěj Cepl 2010-07-17 12:39:14 UTC 
*** Bug 615608 has been marked as a duplicate of this bug. ***
Comment 8 Matěj Cepl 2010-07-17 12:41:43 UTC 
(In reply to comment #7)
> *** Bug 615608 has been marked as a duplicate of this bug. ***    

Just to note the same problem is on RHEL-5 and EPEL.
Comment 9 Miroslav Grepl 2010-10-01 06:12:23 UTC 
Matej,
if you are interested I can create local RHEL5 zarafa policy for you :).
Comment 10 Matěj Cepl 2010-10-01 08:15:36 UTC 
(In reply to comment #9)
> Matej,
> if you are interested I can create local RHEL5 zarafa policy for you :).

yes, eventually it would be awesome, but for now there is a bug 615722, which (as you can certainly understand) is a complete deal-breaker for me now. There are rumors that this may get fixed later this year, but until then I have no intentions to install it on my production server. It might be interesting though to start working on the policy (I can happily play with it in a virtual machine) meanwhile, so that we are ready when zarafa will be useful again.
Comment 11 Matěj Cepl 2010-10-01 08:36:20 UTC 
*** Bug 582323 has been marked as a duplicate of this bug. ***
Comment 13 Matěj Cepl 2011-01-12 21:22:17 UTC 
There is now beta1 of 7.0 released (http://www.zarafa.com/download-release), which supports Unicode characters now. I have attached my /var/log/audit/audit.log from running Zarafa for couple of hours in Permissive mode.
Comment 14 Miroslav Grepl 2011-01-13 09:38:14 UTC 
Matej,
are you seeing it on F12? We have zarafa policy in F14+ releases.
Comment 15 Matěj Cepl 2011-01-13 13:20:02 UTC 
(In reply to comment #14)
> Matej,
> are you seeing it on F12? We have zarafa policy in F14+ releases.

RHEL-5 and these are not our packages. Is there a way, how could I get hold of the F14 policy and install it is as a private module to RHEL-5?
Comment 16 Miroslav Grepl 2011-01-13 13:24:46 UTC 
(In reply to comment #15)
> (In reply to comment #14)
> > Matej,
> > are you seeing it on F12? We have zarafa policy in F14+ releases.
> 
> RHEL-5 and these are not our packages. Is there a way, how could I get hold of
> the F14 policy and install it is as a private module to RHEL-5?

Yes, I will do it for you :)
Comment 17 Matěj Cepl 2011-01-15 21:54:36 UTC 
Created attachment 473673 [details]
output of ausearch -m AVC -ts today

(In reply to comment #16)
> Yes, I will do it for you :)

With your SELinux module, this is what I get (just AVCs for today, but I did a lot of things with zarafa, including restarting, communicating via ActiveSync etc., so I think basics of general traffic should be covered).

audit2allow says this:

[root@hus ~]# ausearch -m AVC -ts today |audit2allow


#============= httpd_t ==============
allow httpd_t zarafa_server_t:unix_stream_socket connectto;
allow httpd_t zarafa_server_var_run_t:sock_file write;

#============= postfix_local_t ==============
allow postfix_local_t zarafa_deliver_exec_t:file { read execute execute_no_trans };
allow postfix_local_t zarafa_server_t:unix_stream_socket connectto;
allow postfix_local_t zarafa_server_var_run_t:sock_file write;

#============= zarafa_gateway_t ==============
allow zarafa_gateway_t lib_t:file execute;
allow zarafa_gateway_t reserved_port_t:tcp_socket name_connect;

#============= zarafa_spooler_t ==============
allow zarafa_spooler_t ld_so_cache_t:file { read getattr };
allow zarafa_spooler_t ld_so_t:file { read execute };
allow zarafa_spooler_t lib_t:file execute;
allow zarafa_spooler_t zarafa_spooler_exec_t:file execute_no_trans;
[root@hus ~]#
Comment 18 Miroslav Grepl 2011-01-17 10:11:01 UTC 
Oops, I did not send you another rules which we have. I mean

optional_policy(`
    zarafa_deliver_domtrans(postfix_local_t)
')

optional_policy(`
    zarafa_stream_connect_server(httpd_t)
    zarafa_search_config(httpd_t)
')

I am going to send you a patch for rhel5 local policy. Thanks for testing. I am adding some fixes for Fedora.
Comment 19 Matěj Cepl 2011-01-25 15:50:04 UTC 
Created attachment 475191 [details]
/var/log/audit/audit.log

After running zarafa with all settings as I would like them (almost) for some time, this is my /var/log/audit/audit.log
Comment 20 Daniel Walsh 2011-01-25 16:50:39 UTC 
How did you get this to run as user_u?
Comment 21 Matěj Cepl 2011-01-25 21:23:15 UTC 
Created attachment 475283 [details]
complete SELinux policy

(In reply to comment #20)
> How did you get this to run as user_u?

I have no clue, I have just run SELinux zarafa policy as provided by mgrepl (I haven't played with SELinux configuration at all aside from installing the module and relabeling some directories). Moreover, I don't see anything abnormal in my running server now:

[matej@hus ~]$ ps auxZ |grep zarafa
system_u:system_r:zarafa_server_t root    2529  0.1  3.5 175292  8980 ?        Sl   17:53   0:17 /usr/bin/zarafa-server -c /etc/zarafa/server.cfg
system_u:system_r:zarafa_gateway_t root   2560  0.0  0.3  27072   824 ?        S    17:53   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:zarafa_gateway_t root   2561  0.0  0.2  27076   724 ?        S    17:53   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:initrc_t      root      2598  0.0  1.6  74588  4308 ?        Sl   17:53   0:07 /usr/bin/zarafa-indexer -c /etc/zarafa/indexer.cfg
system_u:system_r:zarafa_monitor_t root   2616  0.0  1.7  46492  4552 ?        Sl   17:53   0:00 /usr/bin/zarafa-monitor -c /etc/zarafa/monitor.cfg
system_u:system_r:zarafa_spooler_t root   2633  0.0  0.9  38008  2512 ?        Sl   17:53   0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg
system_u:system_r:zarafa_spooler_t root   2634  0.0  0.1  26360   448 ?        S    17:53   0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg
system_u:system_r:zarafa_gateway_t root   5330  0.0  1.7  28680  4396 ?        Sl   22:04   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:zarafa_gateway_t root   5515  0.0  1.9  28600  4972 ?        Sl   22:14   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:zarafa_gateway_t root   5568  0.0  1.9  28600  4896 ?        Sl   22:15   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:zarafa_gateway_t root   5570  0.0  1.9  28600  4964 ?        Sl   22:15   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
user_u:system_r:unconfined_t    matej     5637  0.0  0.2   4020   724 pts/0    S+   22:19   0:00 grep zarafa
[matej@hus ~]$
Comment 22 Matěj Cepl 2011-01-25 21:26:43 UTC 
Humf, my normal user (non-root) seems to run as user_u.

[matej@hus ~]$ id -Z
user_u:system_r:unconfined_t
[matej@hus ~]$ 

I haven't knew about it. Hmm, but this doesn't look extraordinary:

[root@hus ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
system_u        user       s0         SystemLow-SystemHigh           system_r
user_u          user       s0         SystemLow-SystemHigh           system_r sysadm_r user_r
[root@hus ~]# 

Where should I find how did I deserve that user_u label?
Comment 23 Daniel Walsh 2011-01-25 21:34:40 UTC 
You are testing it on a RHEL5 machine and the bugzilla says it is on Rawhide, that is what confused me.
Comment 24 Matěj Cepl 2011-01-25 21:54:44 UTC 
(In reply to comment #23)
> You are testing it on a RHEL5 machine and the bugzilla says it is on Rawhide,
> that is what confused me.

Yes, right, sorry for confusing you ... I meant that this issue isn't RHEL specific, but yes this is my home server running employee's license of RHEL-5.
Comment 25 Miroslav Grepl 2011-01-26 12:46:47 UTC 
Tim, 
any chance you use Fedora14/Rawhide which contain zarafa policy? So you could test this policy.
Comment 27 Matěj Cepl 2011-02-04 13:29:40 UTC 
audit2allow suggests

[root@luther ~]# ausearch -m AVC -ts today|audit2allow


#============= zarafa_deliver_t ==============
allow zarafa_deliver_t ld_so_cache_t:file { read getattr };
allow zarafa_deliver_t ld_so_t:file read;
allow zarafa_deliver_t lib_t:file execute;

#============= zarafa_gateway_t ==============
allow zarafa_gateway_t lib_t:file execute;

#============= zarafa_ical_t ==============
allow zarafa_ical_t reserved_port_t:tcp_socket name_connect;

#============= zarafa_server_t ==============
allow zarafa_server_t var_lib_t:dir { write add_name };
allow zarafa_server_t var_lib_t:file { read write getattr create };
[root@luther ~]# 

What do you think?
Comment 28 Daniel Walsh 2011-02-04 14:12:47 UTC 
Looks like labeling on lib_t:file execute.  Probably needs to be labeled bin_t.

We also need a label on the content it is writing in var_lib_t.  What directory is this?
Comment 29 Matěj Cepl 2011-02-26 17:04:44 UTC 
So, update on this:

a) I have switched to RHEL-6 on the server. So, I have 
selinux-policy-3.7.19-54.el6_0.3.noarch
b) I have created a new git repository with what I have on my system (i.e., currently what's here with comment 21) at
http://gitorious.org/various-small-stuff/zarafa-selinux-policy, just that we could coordinate.

> We also need a label on the content it is writing in var_lib_t.  What directory
> is this?

c) Most likely /var/lib/zarafa-webaccess (will investigate further once I have some fresh AVC denials and I can use inodes to find the names).

Will run zarafa in the Permissive node for couple of days, and I will followup with the fresh logs.
Comment 30 Matěj Cepl 2011-02-26 17:21:59 UTC 
URL of the repo is now http://gitorious.org/zarafa/zarafa-selinux-policy
Comment 31 Miroslav Grepl 2011-02-28 09:24:39 UTC 
Matej,
great. I think we will need to add a label for this dir. Probably to label it as zarafa web content.
Comment 32 Matěj Cepl 2011-04-18 15:13:58 UTC 
I still cannot restart zarafa service with Enforcing mode:

[root@luther ~]# ausearch -m AVC -ts recent |audit2allow


#============= postfix_local_t ==============
allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr };

#============= zarafa_ical_t ==============
allow zarafa_ical_t self:process signal;

#============= zarafa_server_t ==============
#!!!! The source type 'zarafa_server_t' can write to a 'dir' of the following types:
# zarafa_server_log_t, var_run_t, var_log_t, zarafa_server_var_run_t, root_t

allow zarafa_server_t tmp_t:dir { write remove_name add_name };
#!!!! The source type 'zarafa_server_t' can write to a 'file' of the following types:
# zarafa_server_log_t, zarafa_server_var_run_t, root_t

allow zarafa_server_t tmp_t:file { write create unlink open };
#!!!! The source type 'zarafa_server_t' can write to a 'dir' of the following types:
# zarafa_server_log_t, var_run_t, var_log_t, zarafa_server_var_run_t, root_t

allow zarafa_server_t var_lib_t:dir write;
allow zarafa_server_t var_lib_t:file read;

#============= zarafa_spooler_t ==============
allow zarafa_spooler_t zarafa_spooler_exec_t:file execute_no_trans;
[root@luther ~]#
Comment 33 Daniel Walsh 2011-04-18 16:01:24 UTC 
I pushed out some fixes for this into Rawhide.  Might need to back port to F15.
Comment 34 Matěj Cepl 2011-04-18 16:25:56 UTC 
Just to make a note that we are missing port 236 which is used for the communication with the zarafa-server. Marking it as zarafa_port_t and let's see what happens (I'll collect more SELinux messages about it).
Comment 35 Robert Scheck 2011-04-18 17:09:31 UTC 
Port 236/TCP is used by Zarafa for internal and external communication via
SOAP. Please note, there's also port 237/TCP, which has to be same privileged
as 236, which is simply 236/TCP+SSL.
Comment 36 Daniel Walsh 2011-04-18 19:31:01 UTC 
Miroslav lets take the latest zarafa policy from F16 and back port it to RHEL6 along with this.

network_port(zarafa, tcp,236,s0, tcp,237,s0)
Comment 37 Matěj Cepl 2011-04-19 13:16:04 UTC 
In couple of minutes after applying the module and restarting zarafa I got these messages:

[root@luther ~]# ausearch -m AVC -ts recent |audit2allow


#============= httpd_t ==============
allow httpd_t zarafa_server_var_run_t:sock_file write;

#============= postfix_local_t ==============
allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr };
allow postfix_local_t zarafa_deliver_exec_t:file { execute getattr };

#============= zarafa_server_t ==============
allow zarafa_server_t initrc_t:unix_stream_socket connectto;
allow zarafa_server_t var_run_t:sock_file write;
[root@luther ~]# 

Also, just to keep record:
[root@luther ~]# semodule -l |grep zarafa
permissive_zarafa_ical_t	1.0	
permissive_zarafa_server_t	1.0	
zarafa	1.1.0	
[root@luther ~]#
Comment 38 Daniel Walsh 2011-04-19 15:04:48 UTC 
What is running as initrc_t?

ps -eZ | grep initrc_t

What process owns a sock_file in var_run?
Comment 39 Daniel Walsh 2011-04-19 15:06:07 UTC 
Rawhide has 

optional_policy(`
	zarafa_deliver_domtrans(postfix_local_t)
	zarafa_stream_connect_server(postfix_local_t)
')

Maybe add this to your policy to see if it fixes your other AVC's/
Comment 40 Matěj Cepl 2011-04-19 16:31:29 UTC 
(without change from comment 39)
This is just a record of today's activity
[root@luther ~]# ausearch -m AVC -ts today |audit2allow


#============= httpd_t ==============
allow httpd_t zarafa_server_t:unix_stream_socket connectto;
allow httpd_t zarafa_server_var_run_t:sock_file write;

#============= postfix_local_t ==============
allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr };
#!!!! The source type 'postfix_local_t' can write to a 'file' of the following types:
# postfix_spool_t, user_home_t, mailman_data_t, postfix_local_tmp_t, postfix_var_run_t, dovecot_spool_t, anon_inodefs_t, mail_spool_t, nfs_t

allow postfix_local_t httpd_sys_rw_content_t:file { write lock getattr open append };
allow postfix_local_t zarafa_deliver_exec_t:file { read execute open getattr execute_no_trans };
allow postfix_local_t zarafa_server_t:unix_stream_socket connectto;
allow postfix_local_t zarafa_server_var_run_t:sock_file write;

#============= zarafa_server_t ==============
allow zarafa_server_t initrc_t:unix_stream_socket connectto;
allow zarafa_server_t var_lib_t:file { read getattr unlink open };
allow zarafa_server_t var_run_t:sock_file write;
------------------------------------------------------------------------------
[root@luther ~]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0    1513 ?        00:13:15 zarafa-indexer
system_u:system_r:initrc_t:s0    1562 ?        00:00:01 rhnsd
unconfined_u:system_r:initrc_t:s0 4135 ?       00:00:11 dspam
unconfined_u:system_r:initrc_t:s0 9253 ?       00:06:50 spectrum
unconfined_u:system_r:initrc_t:s0 9259 ?       00:04:47 spectrum
unconfined_u:system_r:initrc_t:s0 9265 ?       00:05:57 spectrum
unconfined_u:system_r:initrc_t:s0 9271 ?       00:05:00 spectrum
unconfined_u:system_r:initrc_t:s0 32755 ?      00:30:56 lua

dspam is probably involved with that postfix related SELinux types, spectrum is Jabber transport (works fine), lua is prosody (another XMPP org). I guess you know about rhnsd, so the only remaining one is zarafa-indexer.
------------------------------------------------------------------------------
[root@luther ~]# ls -lRZ /var/run/
/var/run/:
-rw-r--r--. root     root     system_u:object_r:auditd_var_run_t:s0 auditd.pid
drwxr-xr-x. avahi    avahi    system_u:object_r:avahi_var_run_t:s0 avahi-daemon
drwxr-xr-x. root     root     system_u:object_r:pam_var_console_t:s0 console
drwxr-xr-x. root     root     system_u:object_r:consolekit_var_run_t:s0 ConsoleKit
-rw-r--r--. root     root     system_u:object_r:crond_var_run_t:s0 crond.pid
----------. root     root     system_u:object_r:crond_var_run_t:s0 cron.reboot
drwxr-xr-x. root     root     system_u:object_r:system_dbusd_var_run_t:s0 dbus
-rw-r--r--. root     root     unconfined_u:object_r:dhcpd_var_run_t:s0 dhcpd.pid
drwxrwx---. dspam    mail     system_u:object_r:var_run_t:s0   dspam
-rw-------. root     root     system_u:object_r:fetchmail_var_run_t:s0 fetchmail.pid
drwx--x---. root     apache   system_u:object_r:httpd_var_run_t:s0 httpd
drwx------. root     root     system_u:object_r:var_run_t:s0   lvm
-rw-r--r--. root     root     system_u:object_r:system_dbusd_var_run_t:s0 messagebus.pid
drwxr-xr-x. mysql    mysql    system_u:object_r:mysqld_var_run_t:s0 mysqld
drwxr-x---. named    named    system_u:object_r:named_var_run_t:s0 named
lrwxrwxrwx. root     root     system_u:object_r:var_run_t:s0   named.pid -> /var/run/named/named.pid
drwxrwxr-x. root     root     system_u:object_r:var_run_t:s0   netreport
drwxr-xr-x. root     root     system_u:object_r:plymouthd_var_run_t:s0 plymouth
drwxr-xr-x. prosody  prosody  system_u:object_r:var_run_t:s0   prosody
-rw-r--r--. root     root     system_u:object_r:restorecond_var_run_t:s0 restorecond.pid
-rwxr-xr-x. root     root     system_u:object_r:rpm_var_run_t:s0 rhn_check.pid
-rw-r--r--. root     root     system_u:object_r:initrc_var_run_t:s0 rhnsd.pid
drwxr-xr-x. root     root     system_u:object_r:saslauthd_var_run_t:s0 saslauthd
drwxr-xr-x. root     root     system_u:object_r:pam_var_run_t:s0 sepermit
drwxr-xr-x. root     root     system_u:object_r:setrans_var_run_t:s0 setrans
drwx------. spectrum spectrum system_u:object_r:var_run_t:s0   spectrum
-rw-r--r--. root     root     system_u:object_r:sshd_var_run_t:s0 sshd.pid
drwx------. root     root     system_u:object_r:pam_var_run_t:s0 sudo
-rw-------. root     root     system_u:object_r:syslogd_var_run_t:s0 syslogd.pid
-rw-rw-r--. root     utmp     system_u:object_r:initrc_var_run_t:s0 utmp
srw-rw-rw-. root     root     unconfined_u:object_r:zarafa_server_var_run_t:s0 zarafa
-rw-r--r--. root     root     system_u:object_r:zarafa_deliver_var_run_t:s0 zarafa-dagent.pid
-rw-r--r--. root     root     unconfined_u:object_r:zarafa_gateway_var_run_t:s0 zarafa-gateway.pid
-rw-r--r--. root     root     unconfined_u:object_r:zarafa_ical_var_run_t:s0 zarafa-ical.pid
srw-rw-rw-. root     root     system_u:object_r:var_run_t:s0   zarafa-indexer
-rw-r--r--. root     root     system_u:object_r:initrc_var_run_t:s0 zarafa-indexer.pid
-rw-r--r--. root     root     unconfined_u:object_r:zarafa_monitor_var_run_t:s0 zarafa-monitor.pid
-rw-r--r--. root     root     system_u:object_r:zarafa_server_var_run_t:s0 zarafa-server.pid
-rw-r--r--. root     root     unconfined_u:object_r:zarafa_spooler_var_run_t:s0 zarafa-spooler.pid

/var/run/avahi-daemon:
-rw-r--r--. avahi avahi system_u:object_r:avahi_var_run_t:s0 pid
srwxrwxrwx. avahi avahi system_u:object_r:avahi_var_run_t:s0 socket

/var/run/console:

/var/run/ConsoleKit:

/var/run/dbus:
srwxrwxrwx. root root system_u:object_r:system_dbusd_var_run_t:s0 system_bus_socket

/var/run/dspam:
-rw-rw----. root mail unconfined_u:object_r:initrc_var_run_t:s0 dspam.pid

/var/run/httpd:
-rw-r--r--. root root unconfined_u:object_r:httpd_var_run_t:s0 httpd.pid

/var/run/lvm:

/var/run/mysqld:
-rw-rw----. mysql mysql unconfined_u:object_r:mysqld_var_run_t:s0 mysqld.pid

/var/run/named:
-rw-r--r--. named named system_u:object_r:named_var_run_t:s0 named.pid
-rw-------. named named system_u:object_r:named_var_run_t:s0 session.key

/var/run/netreport:

/var/run/plymouth:

/var/run/prosody:
-rw-r-----. prosody prosody unconfined_u:object_r:initrc_var_run_t:s0 prosody.pid

/var/run/saslauthd:

/var/run/sepermit:

/var/run/setrans:

/var/run/spectrum:
-rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 icq.ceplovi.cz.pid
srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 icq.ceplovi.cz.sock
-rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 identica.ceplovi.cz.pid
srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 identica.ceplovi.cz.sock
-rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 irc.ceplovi.cz.pid
srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 irc.ceplovi.cz.sock
-rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 twitter.ceplovi.cz.pid
srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 twitter.ceplovi.cz.sock

/var/run/sudo:
drwx------. root matej system_u:object_r:pam_var_run_t:s0 matej
-rw-------. root root  system_u:object_r:pam_var_run_t:s0 _pam_timestamp_key
drwx------. root root  system_u:object_r:pam_var_run_t:s0 root

/var/run/sudo/matej:
-rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 0
-rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 1
-rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 2

/var/run/sudo/root:
-rw-------. root root system_u:object_r:pam_var_run_t:s0 console
-rw-------. root root unconfined_u:object_r:pam_var_run_t:s0 unknown
[root@luther ~]#
Comment 41 Miroslav Grepl 2011-04-19 19:38:12 UTC 
Matej,
could you ping me tomorrow. It looks like we have a lot of work :). 

Any ways, I am pretty sure you were testing it on RHEL5 with zarafa local policy which I sent you. 

I will send you zarafa policy for RHEL6 with all rules from others modules.
Comment 42 Matěj Cepl 2011-04-19 21:30:10 UTC 
(In reply to comment #39)
> optional_policy(`
>   zarafa_deliver_domtrans(postfix_local_t)
>   zarafa_stream_connect_server(postfix_local_t)
> ')
> 
> Maybe add this to your policy to see if it fixes your other AVC's/

[root@luther zarafa]# make
Compiling targeted zarafa module
/usr/bin/checkmodule:  loading policy configuration from tmp/zarafa.tmp
zarafa.te":144:ERROR 'unknown type postfix_local_t' at token ';' on line 27548:
	allow postfix_local_t zarafa_deliver_exec_t:file { getattr open read execute };
#line 144
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/zarafa.mod] Error 1
[root@luther zarafa]# 

(In reply to comment #41)
> could you ping me tomorrow. It looks like we have a lot of work :). 

Certainly I will.
Comment 43 Miroslav Grepl 2011-04-20 07:43:46 UTC 
Matej, I have sent you RHEL6 zarafa policy. Just compile and install it using

# make -f /usr/share/selinux/devel/Makefile
# semodule -i zarafa.pp
# restorecon -R -v /usr/bin/zarafa-indexer

and restart zarafa services.

I will send you dspam policy for RHEL6.
Comment 44 Matěj Cepl 2011-04-20 11:25:11 UTC 
Installed new zarafa policy. Just immediately after the start I get

[root@luther zarafa]# ausearch -m AVC -ts 13:04
----
time->Wed Apr 20 13:07:42 2011
type=SYSCALL msg=audit(1303297662.344:43676): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=afdf6c50 a2=8403fa8 a3=0 items=0 ppid=1 pid=12176 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1504 comm="zarafa-server" exe="/usr/bin/zarafa-server" subj=unconfined_u:system_r:zarafa_server_t:s0 key=(null)
type=AVC msg=audit(1303297662.344:43676): avc:  denied  { connectto } for  pid=12176 comm="zarafa-server" path="/var/run/zarafa-indexer" scontext=unconfined_u:system_r:zarafa_server_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
----
time->Wed Apr 20 13:07:42 2011
type=SYSCALL msg=audit(1303297662.321:43675): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b11f8c50 a2=8403fa8 a3=0 items=0 ppid=1 pid=12174 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1504 comm="zarafa-server" exe="/usr/bin/zarafa-server" subj=unconfined_u:system_r:zarafa_server_t:s0 key=(null)
type=AVC msg=audit(1303297662.321:43675): avc:  denied  { write } for  pid=12174 comm="zarafa-server" name="zarafa-indexer" dev=dm-0 ino=1837285 scontext=unconfined_u:system_r:zarafa_server_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

Will remove permissive domains from zarafa_server_t and zarafa_ical_t to see clearly what breaks.
Comment 45 Matěj Cepl 2011-04-20 11:32:45 UTC 
So far nothing seems to be broken ... will let you konw.
Comment 46 Miroslav Grepl 2011-04-20 12:00:31 UTC 
# ps -eZ |grep zarafa

# ls -Z /usr/bin/zarafa-indexer
Comment 47 Matěj Cepl 2011-04-20 18:04:28 UTC 
[root@luther ~]# ps -eZ |grep zarafa
system_u:system_r:zarafa_deliver_t:s0 1469 ?   00:00:02 zarafa-dagent
system_u:system_r:zarafa_deliver_t:s0 1471 ?   00:00:00 zarafa-dagent
system_u:system_r:initrc_t:s0    1513 ?        00:23:37 zarafa-indexer
unconfined_u:system_r:zarafa_server_t:s0 12154 ? 00:04:58 zarafa-server
unconfined_u:system_r:zarafa_spooler_t:s0 12196 ? 00:00:01 zarafa-spooler
unconfined_u:system_r:zarafa_spooler_t:s0 12198 ? 00:00:00 zarafa-spooler
unconfined_u:system_r:zarafa_monitor_t:s0 12214 ? 00:00:01 zarafa-monitor
unconfined_u:system_r:zarafa_gateway_t:s0 12231 ? 00:00:00 zarafa-gateway
unconfined_u:system_r:zarafa_gateway_t:s0 12233 ? 00:00:00 zarafa-gateway
unconfined_u:system_r:zarafa_ical_t:s0 12246 ? 00:00:00 zarafa-ical
unconfined_u:system_r:zarafa_ical_t:s0 12247 ? 00:00:00 zarafa-ical
unconfined_u:system_r:zarafa_gateway_t:s0 18248 ? 00:00:00 zarafa-gateway
unconfined_u:system_r:zarafa_ical_t:s0 18282 ? 00:00:01 zarafa-ical
unconfined_u:system_r:zarafa_ical_t:s0 18283 ? 00:00:00 zarafa-ical
unconfined_u:system_r:zarafa_gateway_t:s0 18331 ? 00:00:00 zarafa-gateway
[root@luther ~]# ls -Z /usr/bin/zarafa-indexer
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/zarafa-indexer
[root@luther ~]#
Comment 48 Matěj Cepl 2011-04-20 18:07:52 UTC 
Also,

[root@luther ~]# semanage permissive -l|grep zarafa
zarafa_indexer_t
[root@luther ~]# 

Why we are giving up on confining the indexer?
Comment 49 Daniel Walsh 2011-04-20 18:26:27 UTC 
Matej we are not giving up on confining anything.   When we write policy we write in permissive mode so we can learn how the app works,  When we are fairly happy we switch to enforcing.
Comment 50 Daniel Walsh 2011-04-20 18:27:10 UTC 
If this policy goes into RHEL, I want it all permissive or perhaps unconfined
Since we don't like to have selinux-policy update break something in RHEL.
Comment 51 Matěj Cepl 2011-04-20 22:05:31 UTC 
(In reply to comment #49)
> Matej we are not giving up on confining anything.

I didn't want to accuse you of anything like that, just suspected some omission or leftover from something bigger.
Comment 52 Matěj Cepl 2011-04-20 22:11:58 UTC 
(In reply to comment #50)
> If this policy goes into RHEL, I want it all permissive or perhaps unconfined
> Since we don't like to have selinux-policy update break something in RHEL.

Does EPEL mean same as RHEL here? (you woulnd’t have to support that, if that matters)
Comment 53 Miroslav Grepl 2011-04-21 06:40:16 UTC 
Matej, 
let's setup the right context

# chcon -t zarafa_indexer_exec_t /usr/bin/zarafa-indexer


I would like to add it to RHEL6 but I will wait until RHEL6.2 comes.
Comment 55 Matěj Cepl 2011-06-09 21:14:22 UTC 
Created attachment 503992 [details]
output of ausearch -m AVC -ts today|audit2allow
Comment 56 Miroslav Grepl 2011-06-10 10:08:50 UTC 
I apologize, I missed your last comment. Will fix.
Comment 57 Matěj Cepl 2011-06-30 22:04:36 UTC 
Just to note that with release of EPEL-6 packaged version of Zarafa I have switched to it. Although it is not perfect (I have to run it as user root/root, bug 717968), I think we can finally develop on packages which are in Fedora.
Comment 58 Matěj Cepl 2011-07-03 17:11:24 UTC 
Created attachment 511063 [details]
output of ausearch -m AVC -ts yesterday

OK, so now I have working EPEL packaged Zarafa 7.0.0 on EL-6 and in the last two days I've collected this (running in the Permissive mode of course):

[root@luther ~]# ausearch -m AVC -ts yesterday |audit2allow


#============= httpd_t ==============
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, dirsrvadmin_config_t, var_lock_t, squirrelmail_spool_t, tmp_t, passenger_var_run_t, var_t, tmpfs_t, dirsrv_config_t, httpd_tmp_t, httpd_cache_t, httpd_tmpfs_t, var_lib_t, var_run_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, var_log_t, dirsrv_var_log_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_zarafa_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_sys_content_t, httpd_dirsrvadmin_rw_content_t, httpd_prewikka_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, root_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t

allow httpd_t zarafa_var_lib_t:dir { write search read remove_name open getattr add_name };
#!!!! The source type 'httpd_t' can write to a 'file' of the following types:
# dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, dirsrvadmin_config_t, squirrelmail_spool_t, passenger_var_run_t, httpd_lock_t, dirsrv_config_t, httpd_tmp_t, httpd_cache_t, httpd_tmpfs_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, dirsrv_var_log_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_zarafa_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_prewikka_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, root_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t

allow httpd_t zarafa_var_lib_t:file { read lock create write getattr unlink open append };

#============= postfix_local_t ==============
allow postfix_local_t httpd_sys_rw_content_t:dir { getattr search };
#!!!! The source type 'postfix_local_t' can write to a 'file' of the following types:
# user_home_t, anon_inodefs_t, postfix_spool_t, mailman_data_t, dovecot_spool_t, postfix_local_tmp_t, postfix_var_run_t, mail_spool_t, nfs_t

allow postfix_local_t httpd_sys_rw_content_t:file { write lock getattr open append };

#============= zarafa_deliver_t ==============
allow zarafa_deliver_t random_device_t:chr_file read;

#============= zarafa_indexer_t ==============
allow zarafa_indexer_t bin_t:file { read getattr open execute execute_no_trans };
allow zarafa_indexer_t bin_t:lnk_file read;
allow zarafa_indexer_t fonts_cache_t:dir search;
allow zarafa_indexer_t fonts_cache_t:file { read getattr open };
allow zarafa_indexer_t fonts_t:dir { getattr search };
allow zarafa_indexer_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow zarafa_indexer_t tmp_t:dir { write rmdir read remove_name create add_name };
#!!!! The source type 'zarafa_indexer_t' can write to a 'file' of the following types:
# zarafa_indexer_var_run_t, zarafa_indexer_log_t, root_t

allow zarafa_indexer_t tmp_t:file { write getattr read create unlink open };
allow zarafa_indexer_t usr_t:file { ioctl execute read open getattr execute_no_trans };
#!!!! The source type 'zarafa_indexer_t' can write to a 'dir' of the following types:
# zarafa_indexer_var_run_t, var_run_t, zarafa_indexer_log_t, var_log_t, root_t

allow zarafa_indexer_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'zarafa_indexer_t' can write to a 'file' of the following types:
# zarafa_indexer_var_run_t, zarafa_indexer_log_t, root_t

allow zarafa_indexer_t var_lib_t:file { rename write getattr read create unlink open };

#============= zarafa_spooler_t ==============
allow zarafa_spooler_t random_device_t:chr_file read;
[root@luther ~]#
Comment 59 Matěj Cepl 2011-07-03 17:18:43 UTC 
AFTER reporting the previous comment I run (just to be sure)

restorecon -v -R /var

and got many many many lines like

restorecon reset /var/lib/zarafa/3/15/5353.gz context system_u:object_r:zarafa_var_lib_t:s0->system_u:object_r:var_lib_t:s0

and I have zarafa module loaded

[root@luther ~]# semodule -l |grep zarafa
zarafa	1.2.1	
[root@luther ~]# 

which has line in zarafa.fc

/var/lib/zarafa-.*   			gen_context(system_u:object_r:zarafa_var_lib_t,s0)

(that's probably wrong RE, isn't? Why that dash there? Shouldn't it be just

/var/lib/zarafa.*  gen_context(system_u:object_r:zarafa_var_lib_t,s0)

There are these two directories in /var/lib related to Zarafa:

[root@luther zarafa]# ls -ldZ /var/lib/zarafa*
drwxr-xr-x. zarafa zarafa system_u:object_r:var_lib_t:s0   /var/lib/zarafa
drwxr-xr-x. apache apache system_u:object_r:zarafa_var_lib_t:s0 /var/lib/zarafa-webaccess
[root@luther zarafa]#
Comment 60 Miroslav Grepl 2011-07-11 08:11:52 UTC 
A fix was added. Will be in the next build.