Bug 574788
Summary: | Zarafa needs a SELinux treatment to work (currently works only in the permissive mode) | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Hughes <thughes> | ||||||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||
Priority: | low | ||||||||||||||
Version: | rawhide | CC: | david, dgunchev, dominick.grift, dwalsh, dwmw2, mcepl, mcepl, mgrepl, pcfe, redhat-bugzilla, simonhandy, stsp1, vanmeeuwen+fedora, warlord | ||||||||||||
Target Milestone: | --- | Keywords: | Reopened, Triaged | ||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | i386 | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | setroubleshoot_trace_hash:51c480719e17e6f8612add8e29cac913dbb73de6afef32397dc0649806675242 | ||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | |||||||||||||||
: | 720462 720463 (view as bug list) | Environment: | |||||||||||||
Last Closed: | 2011-08-04 09:39:03 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | 615722 | ||||||||||||||
Bug Blocks: | 720462, 720463 | ||||||||||||||
Attachments: |
|
Description
Tim Hughes
2010-03-18 14:54:37 UTC
http://fedoraproject.org/wiki/Features/Zarafa#How_To_Test I just installed using those instructions (but on fedora 12) and then tried to log in via the web interface. It displayed a red message saying 'Could not contact Zarafa server' I then turned selinux off using setenforce 0 and then i could log in Miroslav, can you write a policy for zarafa? Yes. I have just started to write it. I just hit this myself on FC12. Any progress on a zarafa policy? I'm getting the denial on /var/run/zarafa We just released zarafa policy in Rawhide. (In reply to comment #4) > I just hit this myself on FC12. Any progress on a zarafa policy? > I'm getting the denial on /var/run/zarafa Derek, Tim, I can create local zarafa policy for testing in F12/F13 if you are interested. *** Bug 615608 has been marked as a duplicate of this bug. *** (In reply to comment #7) > *** Bug 615608 has been marked as a duplicate of this bug. *** Just to note the same problem is on RHEL-5 and EPEL. Matej, if you are interested I can create local RHEL5 zarafa policy for you :). (In reply to comment #9) > Matej, > if you are interested I can create local RHEL5 zarafa policy for you :). yes, eventually it would be awesome, but for now there is a bug 615722, which (as you can certainly understand) is a complete deal-breaker for me now. There are rumors that this may get fixed later this year, but until then I have no intentions to install it on my production server. It might be interesting though to start working on the policy (I can happily play with it in a virtual machine) meanwhile, so that we are ready when zarafa will be useful again. *** Bug 582323 has been marked as a duplicate of this bug. *** There is now beta1 of 7.0 released (http://www.zarafa.com/download-release), which supports Unicode characters now. I have attached my /var/log/audit/audit.log from running Zarafa for couple of hours in Permissive mode. Matej, are you seeing it on F12? We have zarafa policy in F14+ releases. (In reply to comment #14) > Matej, > are you seeing it on F12? We have zarafa policy in F14+ releases. RHEL-5 and these are not our packages. Is there a way, how could I get hold of the F14 policy and install it is as a private module to RHEL-5? (In reply to comment #15) > (In reply to comment #14) > > Matej, > > are you seeing it on F12? We have zarafa policy in F14+ releases. > > RHEL-5 and these are not our packages. Is there a way, how could I get hold of > the F14 policy and install it is as a private module to RHEL-5? Yes, I will do it for you :) Created attachment 473673 [details] output of ausearch -m AVC -ts today (In reply to comment #16) > Yes, I will do it for you :) With your SELinux module, this is what I get (just AVCs for today, but I did a lot of things with zarafa, including restarting, communicating via ActiveSync etc., so I think basics of general traffic should be covered). audit2allow says this: [root@hus ~]# ausearch -m AVC -ts today |audit2allow #============= httpd_t ============== allow httpd_t zarafa_server_t:unix_stream_socket connectto; allow httpd_t zarafa_server_var_run_t:sock_file write; #============= postfix_local_t ============== allow postfix_local_t zarafa_deliver_exec_t:file { read execute execute_no_trans }; allow postfix_local_t zarafa_server_t:unix_stream_socket connectto; allow postfix_local_t zarafa_server_var_run_t:sock_file write; #============= zarafa_gateway_t ============== allow zarafa_gateway_t lib_t:file execute; allow zarafa_gateway_t reserved_port_t:tcp_socket name_connect; #============= zarafa_spooler_t ============== allow zarafa_spooler_t ld_so_cache_t:file { read getattr }; allow zarafa_spooler_t ld_so_t:file { read execute }; allow zarafa_spooler_t lib_t:file execute; allow zarafa_spooler_t zarafa_spooler_exec_t:file execute_no_trans; [root@hus ~]# Oops, I did not send you another rules which we have. I mean optional_policy(` zarafa_deliver_domtrans(postfix_local_t) ') optional_policy(` zarafa_stream_connect_server(httpd_t) zarafa_search_config(httpd_t) ') I am going to send you a patch for rhel5 local policy. Thanks for testing. I am adding some fixes for Fedora. Created attachment 475191 [details]
/var/log/audit/audit.log
After running zarafa with all settings as I would like them (almost) for some time, this is my /var/log/audit/audit.log
How did you get this to run as user_u? Created attachment 475283 [details] complete SELinux policy (In reply to comment #20) > How did you get this to run as user_u? I have no clue, I have just run SELinux zarafa policy as provided by mgrepl (I haven't played with SELinux configuration at all aside from installing the module and relabeling some directories). Moreover, I don't see anything abnormal in my running server now: [matej@hus ~]$ ps auxZ |grep zarafa system_u:system_r:zarafa_server_t root 2529 0.1 3.5 175292 8980 ? Sl 17:53 0:17 /usr/bin/zarafa-server -c /etc/zarafa/server.cfg system_u:system_r:zarafa_gateway_t root 2560 0.0 0.3 27072 824 ? S 17:53 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg system_u:system_r:zarafa_gateway_t root 2561 0.0 0.2 27076 724 ? S 17:53 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg system_u:system_r:initrc_t root 2598 0.0 1.6 74588 4308 ? Sl 17:53 0:07 /usr/bin/zarafa-indexer -c /etc/zarafa/indexer.cfg system_u:system_r:zarafa_monitor_t root 2616 0.0 1.7 46492 4552 ? Sl 17:53 0:00 /usr/bin/zarafa-monitor -c /etc/zarafa/monitor.cfg system_u:system_r:zarafa_spooler_t root 2633 0.0 0.9 38008 2512 ? Sl 17:53 0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg system_u:system_r:zarafa_spooler_t root 2634 0.0 0.1 26360 448 ? S 17:53 0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg system_u:system_r:zarafa_gateway_t root 5330 0.0 1.7 28680 4396 ? Sl 22:04 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg system_u:system_r:zarafa_gateway_t root 5515 0.0 1.9 28600 4972 ? Sl 22:14 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg system_u:system_r:zarafa_gateway_t root 5568 0.0 1.9 28600 4896 ? Sl 22:15 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg system_u:system_r:zarafa_gateway_t root 5570 0.0 1.9 28600 4964 ? Sl 22:15 0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg user_u:system_r:unconfined_t matej 5637 0.0 0.2 4020 724 pts/0 S+ 22:19 0:00 grep zarafa [matej@hus ~]$ Humf, my normal user (non-root) seems to run as user_u. [matej@hus ~]$ id -Z user_u:system_r:unconfined_t [matej@hus ~]$ I haven't knew about it. Hmm, but this doesn't look extraordinary: [root@hus ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root user s0 SystemLow-SystemHigh system_r sysadm_r user_r system_u user s0 SystemLow-SystemHigh system_r user_u user s0 SystemLow-SystemHigh system_r sysadm_r user_r [root@hus ~]# Where should I find how did I deserve that user_u label? You are testing it on a RHEL5 machine and the bugzilla says it is on Rawhide, that is what confused me. (In reply to comment #23) > You are testing it on a RHEL5 machine and the bugzilla says it is on Rawhide, > that is what confused me. Yes, right, sorry for confusing you ... I meant that this issue isn't RHEL specific, but yes this is my home server running employee's license of RHEL-5. Tim, any chance you use Fedora14/Rawhide which contain zarafa policy? So you could test this policy. audit2allow suggests [root@luther ~]# ausearch -m AVC -ts today|audit2allow #============= zarafa_deliver_t ============== allow zarafa_deliver_t ld_so_cache_t:file { read getattr }; allow zarafa_deliver_t ld_so_t:file read; allow zarafa_deliver_t lib_t:file execute; #============= zarafa_gateway_t ============== allow zarafa_gateway_t lib_t:file execute; #============= zarafa_ical_t ============== allow zarafa_ical_t reserved_port_t:tcp_socket name_connect; #============= zarafa_server_t ============== allow zarafa_server_t var_lib_t:dir { write add_name }; allow zarafa_server_t var_lib_t:file { read write getattr create }; [root@luther ~]# What do you think? Looks like labeling on lib_t:file execute. Probably needs to be labeled bin_t. We also need a label on the content it is writing in var_lib_t. What directory is this? So, update on this: a) I have switched to RHEL-6 on the server. So, I have selinux-policy-3.7.19-54.el6_0.3.noarch b) I have created a new git repository with what I have on my system (i.e., currently what's here with comment 21) at http://gitorious.org/various-small-stuff/zarafa-selinux-policy, just that we could coordinate. > We also need a label on the content it is writing in var_lib_t. What directory > is this? c) Most likely /var/lib/zarafa-webaccess (will investigate further once I have some fresh AVC denials and I can use inodes to find the names). Will run zarafa in the Permissive node for couple of days, and I will followup with the fresh logs. URL of the repo is now http://gitorious.org/zarafa/zarafa-selinux-policy Matej, great. I think we will need to add a label for this dir. Probably to label it as zarafa web content. I still cannot restart zarafa service with Enforcing mode: [root@luther ~]# ausearch -m AVC -ts recent |audit2allow #============= postfix_local_t ============== allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr }; #============= zarafa_ical_t ============== allow zarafa_ical_t self:process signal; #============= zarafa_server_t ============== #!!!! The source type 'zarafa_server_t' can write to a 'dir' of the following types: # zarafa_server_log_t, var_run_t, var_log_t, zarafa_server_var_run_t, root_t allow zarafa_server_t tmp_t:dir { write remove_name add_name }; #!!!! The source type 'zarafa_server_t' can write to a 'file' of the following types: # zarafa_server_log_t, zarafa_server_var_run_t, root_t allow zarafa_server_t tmp_t:file { write create unlink open }; #!!!! The source type 'zarafa_server_t' can write to a 'dir' of the following types: # zarafa_server_log_t, var_run_t, var_log_t, zarafa_server_var_run_t, root_t allow zarafa_server_t var_lib_t:dir write; allow zarafa_server_t var_lib_t:file read; #============= zarafa_spooler_t ============== allow zarafa_spooler_t zarafa_spooler_exec_t:file execute_no_trans; [root@luther ~]# I pushed out some fixes for this into Rawhide. Might need to back port to F15. Just to make a note that we are missing port 236 which is used for the communication with the zarafa-server. Marking it as zarafa_port_t and let's see what happens (I'll collect more SELinux messages about it). Port 236/TCP is used by Zarafa for internal and external communication via SOAP. Please note, there's also port 237/TCP, which has to be same privileged as 236, which is simply 236/TCP+SSL. Miroslav lets take the latest zarafa policy from F16 and back port it to RHEL6 along with this. network_port(zarafa, tcp,236,s0, tcp,237,s0) In couple of minutes after applying the module and restarting zarafa I got these messages: [root@luther ~]# ausearch -m AVC -ts recent |audit2allow #============= httpd_t ============== allow httpd_t zarafa_server_var_run_t:sock_file write; #============= postfix_local_t ============== allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr }; allow postfix_local_t zarafa_deliver_exec_t:file { execute getattr }; #============= zarafa_server_t ============== allow zarafa_server_t initrc_t:unix_stream_socket connectto; allow zarafa_server_t var_run_t:sock_file write; [root@luther ~]# Also, just to keep record: [root@luther ~]# semodule -l |grep zarafa permissive_zarafa_ical_t 1.0 permissive_zarafa_server_t 1.0 zarafa 1.1.0 [root@luther ~]# What is running as initrc_t? ps -eZ | grep initrc_t What process owns a sock_file in var_run? Rawhide has optional_policy(` zarafa_deliver_domtrans(postfix_local_t) zarafa_stream_connect_server(postfix_local_t) ') Maybe add this to your policy to see if it fixes your other AVC's/ (without change from comment 39) This is just a record of today's activity [root@luther ~]# ausearch -m AVC -ts today |audit2allow #============= httpd_t ============== allow httpd_t zarafa_server_t:unix_stream_socket connectto; allow httpd_t zarafa_server_var_run_t:sock_file write; #============= postfix_local_t ============== allow postfix_local_t httpd_sys_rw_content_t:dir { search getattr }; #!!!! The source type 'postfix_local_t' can write to a 'file' of the following types: # postfix_spool_t, user_home_t, mailman_data_t, postfix_local_tmp_t, postfix_var_run_t, dovecot_spool_t, anon_inodefs_t, mail_spool_t, nfs_t allow postfix_local_t httpd_sys_rw_content_t:file { write lock getattr open append }; allow postfix_local_t zarafa_deliver_exec_t:file { read execute open getattr execute_no_trans }; allow postfix_local_t zarafa_server_t:unix_stream_socket connectto; allow postfix_local_t zarafa_server_var_run_t:sock_file write; #============= zarafa_server_t ============== allow zarafa_server_t initrc_t:unix_stream_socket connectto; allow zarafa_server_t var_lib_t:file { read getattr unlink open }; allow zarafa_server_t var_run_t:sock_file write; ------------------------------------------------------------------------------ [root@luther ~]# ps -eZ | grep initrc_t system_u:system_r:initrc_t:s0 1513 ? 00:13:15 zarafa-indexer system_u:system_r:initrc_t:s0 1562 ? 00:00:01 rhnsd unconfined_u:system_r:initrc_t:s0 4135 ? 00:00:11 dspam unconfined_u:system_r:initrc_t:s0 9253 ? 00:06:50 spectrum unconfined_u:system_r:initrc_t:s0 9259 ? 00:04:47 spectrum unconfined_u:system_r:initrc_t:s0 9265 ? 00:05:57 spectrum unconfined_u:system_r:initrc_t:s0 9271 ? 00:05:00 spectrum unconfined_u:system_r:initrc_t:s0 32755 ? 00:30:56 lua dspam is probably involved with that postfix related SELinux types, spectrum is Jabber transport (works fine), lua is prosody (another XMPP org). I guess you know about rhnsd, so the only remaining one is zarafa-indexer. ------------------------------------------------------------------------------ [root@luther ~]# ls -lRZ /var/run/ /var/run/: -rw-r--r--. root root system_u:object_r:auditd_var_run_t:s0 auditd.pid drwxr-xr-x. avahi avahi system_u:object_r:avahi_var_run_t:s0 avahi-daemon drwxr-xr-x. root root system_u:object_r:pam_var_console_t:s0 console drwxr-xr-x. root root system_u:object_r:consolekit_var_run_t:s0 ConsoleKit -rw-r--r--. root root system_u:object_r:crond_var_run_t:s0 crond.pid ----------. root root system_u:object_r:crond_var_run_t:s0 cron.reboot drwxr-xr-x. root root system_u:object_r:system_dbusd_var_run_t:s0 dbus -rw-r--r--. root root unconfined_u:object_r:dhcpd_var_run_t:s0 dhcpd.pid drwxrwx---. dspam mail system_u:object_r:var_run_t:s0 dspam -rw-------. root root system_u:object_r:fetchmail_var_run_t:s0 fetchmail.pid drwx--x---. root apache system_u:object_r:httpd_var_run_t:s0 httpd drwx------. root root system_u:object_r:var_run_t:s0 lvm -rw-r--r--. root root system_u:object_r:system_dbusd_var_run_t:s0 messagebus.pid drwxr-xr-x. mysql mysql system_u:object_r:mysqld_var_run_t:s0 mysqld drwxr-x---. named named system_u:object_r:named_var_run_t:s0 named lrwxrwxrwx. root root system_u:object_r:var_run_t:s0 named.pid -> /var/run/named/named.pid drwxrwxr-x. root root system_u:object_r:var_run_t:s0 netreport drwxr-xr-x. root root system_u:object_r:plymouthd_var_run_t:s0 plymouth drwxr-xr-x. prosody prosody system_u:object_r:var_run_t:s0 prosody -rw-r--r--. root root system_u:object_r:restorecond_var_run_t:s0 restorecond.pid -rwxr-xr-x. root root system_u:object_r:rpm_var_run_t:s0 rhn_check.pid -rw-r--r--. root root system_u:object_r:initrc_var_run_t:s0 rhnsd.pid drwxr-xr-x. root root system_u:object_r:saslauthd_var_run_t:s0 saslauthd drwxr-xr-x. root root system_u:object_r:pam_var_run_t:s0 sepermit drwxr-xr-x. root root system_u:object_r:setrans_var_run_t:s0 setrans drwx------. spectrum spectrum system_u:object_r:var_run_t:s0 spectrum -rw-r--r--. root root system_u:object_r:sshd_var_run_t:s0 sshd.pid drwx------. root root system_u:object_r:pam_var_run_t:s0 sudo -rw-------. root root system_u:object_r:syslogd_var_run_t:s0 syslogd.pid -rw-rw-r--. root utmp system_u:object_r:initrc_var_run_t:s0 utmp srw-rw-rw-. root root unconfined_u:object_r:zarafa_server_var_run_t:s0 zarafa -rw-r--r--. root root system_u:object_r:zarafa_deliver_var_run_t:s0 zarafa-dagent.pid -rw-r--r--. root root unconfined_u:object_r:zarafa_gateway_var_run_t:s0 zarafa-gateway.pid -rw-r--r--. root root unconfined_u:object_r:zarafa_ical_var_run_t:s0 zarafa-ical.pid srw-rw-rw-. root root system_u:object_r:var_run_t:s0 zarafa-indexer -rw-r--r--. root root system_u:object_r:initrc_var_run_t:s0 zarafa-indexer.pid -rw-r--r--. root root unconfined_u:object_r:zarafa_monitor_var_run_t:s0 zarafa-monitor.pid -rw-r--r--. root root system_u:object_r:zarafa_server_var_run_t:s0 zarafa-server.pid -rw-r--r--. root root unconfined_u:object_r:zarafa_spooler_var_run_t:s0 zarafa-spooler.pid /var/run/avahi-daemon: -rw-r--r--. avahi avahi system_u:object_r:avahi_var_run_t:s0 pid srwxrwxrwx. avahi avahi system_u:object_r:avahi_var_run_t:s0 socket /var/run/console: /var/run/ConsoleKit: /var/run/dbus: srwxrwxrwx. root root system_u:object_r:system_dbusd_var_run_t:s0 system_bus_socket /var/run/dspam: -rw-rw----. root mail unconfined_u:object_r:initrc_var_run_t:s0 dspam.pid /var/run/httpd: -rw-r--r--. root root unconfined_u:object_r:httpd_var_run_t:s0 httpd.pid /var/run/lvm: /var/run/mysqld: -rw-rw----. mysql mysql unconfined_u:object_r:mysqld_var_run_t:s0 mysqld.pid /var/run/named: -rw-r--r--. named named system_u:object_r:named_var_run_t:s0 named.pid -rw-------. named named system_u:object_r:named_var_run_t:s0 session.key /var/run/netreport: /var/run/plymouth: /var/run/prosody: -rw-r-----. prosody prosody unconfined_u:object_r:initrc_var_run_t:s0 prosody.pid /var/run/saslauthd: /var/run/sepermit: /var/run/setrans: /var/run/spectrum: -rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 icq.ceplovi.cz.pid srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 icq.ceplovi.cz.sock -rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 identica.ceplovi.cz.pid srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 identica.ceplovi.cz.sock -rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 irc.ceplovi.cz.pid srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 irc.ceplovi.cz.sock -rw-rw-rw-. spectrum spectrum unconfined_u:object_r:initrc_var_run_t:s0 twitter.ceplovi.cz.pid srwxrwxrwx. spectrum spectrum unconfined_u:object_r:var_run_t:s0 twitter.ceplovi.cz.sock /var/run/sudo: drwx------. root matej system_u:object_r:pam_var_run_t:s0 matej -rw-------. root root system_u:object_r:pam_var_run_t:s0 _pam_timestamp_key drwx------. root root system_u:object_r:pam_var_run_t:s0 root /var/run/sudo/matej: -rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 0 -rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 1 -rw-------. root matej unconfined_u:object_r:pam_var_run_t:s0 2 /var/run/sudo/root: -rw-------. root root system_u:object_r:pam_var_run_t:s0 console -rw-------. root root unconfined_u:object_r:pam_var_run_t:s0 unknown [root@luther ~]# Matej, could you ping me tomorrow. It looks like we have a lot of work :). Any ways, I am pretty sure you were testing it on RHEL5 with zarafa local policy which I sent you. I will send you zarafa policy for RHEL6 with all rules from others modules. (In reply to comment #39) > optional_policy(` > zarafa_deliver_domtrans(postfix_local_t) > zarafa_stream_connect_server(postfix_local_t) > ') > > Maybe add this to your policy to see if it fixes your other AVC's/ [root@luther zarafa]# make Compiling targeted zarafa module /usr/bin/checkmodule: loading policy configuration from tmp/zarafa.tmp zarafa.te":144:ERROR 'unknown type postfix_local_t' at token ';' on line 27548: allow postfix_local_t zarafa_deliver_exec_t:file { getattr open read execute }; #line 144 /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/zarafa.mod] Error 1 [root@luther zarafa]# (In reply to comment #41) > could you ping me tomorrow. It looks like we have a lot of work :). Certainly I will. Matej, I have sent you RHEL6 zarafa policy. Just compile and install it using # make -f /usr/share/selinux/devel/Makefile # semodule -i zarafa.pp # restorecon -R -v /usr/bin/zarafa-indexer and restart zarafa services. I will send you dspam policy for RHEL6. Installed new zarafa policy. Just immediately after the start I get [root@luther zarafa]# ausearch -m AVC -ts 13:04 ---- time->Wed Apr 20 13:07:42 2011 type=SYSCALL msg=audit(1303297662.344:43676): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=afdf6c50 a2=8403fa8 a3=0 items=0 ppid=1 pid=12176 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1504 comm="zarafa-server" exe="/usr/bin/zarafa-server" subj=unconfined_u:system_r:zarafa_server_t:s0 key=(null) type=AVC msg=audit(1303297662.344:43676): avc: denied { connectto } for pid=12176 comm="zarafa-server" path="/var/run/zarafa-indexer" scontext=unconfined_u:system_r:zarafa_server_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Wed Apr 20 13:07:42 2011 type=SYSCALL msg=audit(1303297662.321:43675): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b11f8c50 a2=8403fa8 a3=0 items=0 ppid=1 pid=12174 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1504 comm="zarafa-server" exe="/usr/bin/zarafa-server" subj=unconfined_u:system_r:zarafa_server_t:s0 key=(null) type=AVC msg=audit(1303297662.321:43675): avc: denied { write } for pid=12174 comm="zarafa-server" name="zarafa-indexer" dev=dm-0 ino=1837285 scontext=unconfined_u:system_r:zarafa_server_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file Will remove permissive domains from zarafa_server_t and zarafa_ical_t to see clearly what breaks. So far nothing seems to be broken ... will let you konw. # ps -eZ |grep zarafa # ls -Z /usr/bin/zarafa-indexer [root@luther ~]# ps -eZ |grep zarafa system_u:system_r:zarafa_deliver_t:s0 1469 ? 00:00:02 zarafa-dagent system_u:system_r:zarafa_deliver_t:s0 1471 ? 00:00:00 zarafa-dagent system_u:system_r:initrc_t:s0 1513 ? 00:23:37 zarafa-indexer unconfined_u:system_r:zarafa_server_t:s0 12154 ? 00:04:58 zarafa-server unconfined_u:system_r:zarafa_spooler_t:s0 12196 ? 00:00:01 zarafa-spooler unconfined_u:system_r:zarafa_spooler_t:s0 12198 ? 00:00:00 zarafa-spooler unconfined_u:system_r:zarafa_monitor_t:s0 12214 ? 00:00:01 zarafa-monitor unconfined_u:system_r:zarafa_gateway_t:s0 12231 ? 00:00:00 zarafa-gateway unconfined_u:system_r:zarafa_gateway_t:s0 12233 ? 00:00:00 zarafa-gateway unconfined_u:system_r:zarafa_ical_t:s0 12246 ? 00:00:00 zarafa-ical unconfined_u:system_r:zarafa_ical_t:s0 12247 ? 00:00:00 zarafa-ical unconfined_u:system_r:zarafa_gateway_t:s0 18248 ? 00:00:00 zarafa-gateway unconfined_u:system_r:zarafa_ical_t:s0 18282 ? 00:00:01 zarafa-ical unconfined_u:system_r:zarafa_ical_t:s0 18283 ? 00:00:00 zarafa-ical unconfined_u:system_r:zarafa_gateway_t:s0 18331 ? 00:00:00 zarafa-gateway [root@luther ~]# ls -Z /usr/bin/zarafa-indexer -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/zarafa-indexer [root@luther ~]# Also, [root@luther ~]# semanage permissive -l|grep zarafa zarafa_indexer_t [root@luther ~]# Why we are giving up on confining the indexer? Matej we are not giving up on confining anything. When we write policy we write in permissive mode so we can learn how the app works, When we are fairly happy we switch to enforcing. If this policy goes into RHEL, I want it all permissive or perhaps unconfined Since we don't like to have selinux-policy update break something in RHEL. (In reply to comment #49) > Matej we are not giving up on confining anything. I didn't want to accuse you of anything like that, just suspected some omission or leftover from something bigger. (In reply to comment #50) > If this policy goes into RHEL, I want it all permissive or perhaps unconfined > Since we don't like to have selinux-policy update break something in RHEL. Does EPEL mean same as RHEL here? (you woulnd’t have to support that, if that matters) Matej, let's setup the right context # chcon -t zarafa_indexer_exec_t /usr/bin/zarafa-indexer I would like to add it to RHEL6 but I will wait until RHEL6.2 comes. Created attachment 503992 [details]
output of ausearch -m AVC -ts today|audit2allow
I apologize, I missed your last comment. Will fix. Just to note that with release of EPEL-6 packaged version of Zarafa I have switched to it. Although it is not perfect (I have to run it as user root/root, bug 717968), I think we can finally develop on packages which are in Fedora. Created attachment 511063 [details]
output of ausearch -m AVC -ts yesterday
OK, so now I have working EPEL packaged Zarafa 7.0.0 on EL-6 and in the last two days I've collected this (running in the Permissive mode of course):
[root@luther ~]# ausearch -m AVC -ts yesterday |audit2allow
#============= httpd_t ==============
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, dirsrvadmin_config_t, var_lock_t, squirrelmail_spool_t, tmp_t, passenger_var_run_t, var_t, tmpfs_t, dirsrv_config_t, httpd_tmp_t, httpd_cache_t, httpd_tmpfs_t, var_lib_t, var_run_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, var_log_t, dirsrv_var_log_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_zarafa_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_sys_content_t, httpd_dirsrvadmin_rw_content_t, httpd_prewikka_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, root_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t
allow httpd_t zarafa_var_lib_t:dir { write search read remove_name open getattr add_name };
#!!!! The source type 'httpd_t' can write to a 'file' of the following types:
# dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, dirsrvadmin_config_t, squirrelmail_spool_t, passenger_var_run_t, httpd_lock_t, dirsrv_config_t, httpd_tmp_t, httpd_cache_t, httpd_tmpfs_t, dirsrvadmin_tmp_t, httpd_squirrelmail_t, dirsrv_var_log_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_rw_content_t, httpd_zarafa_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_prewikka_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_rw_content_t, httpd_user_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, root_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t
allow httpd_t zarafa_var_lib_t:file { read lock create write getattr unlink open append };
#============= postfix_local_t ==============
allow postfix_local_t httpd_sys_rw_content_t:dir { getattr search };
#!!!! The source type 'postfix_local_t' can write to a 'file' of the following types:
# user_home_t, anon_inodefs_t, postfix_spool_t, mailman_data_t, dovecot_spool_t, postfix_local_tmp_t, postfix_var_run_t, mail_spool_t, nfs_t
allow postfix_local_t httpd_sys_rw_content_t:file { write lock getattr open append };
#============= zarafa_deliver_t ==============
allow zarafa_deliver_t random_device_t:chr_file read;
#============= zarafa_indexer_t ==============
allow zarafa_indexer_t bin_t:file { read getattr open execute execute_no_trans };
allow zarafa_indexer_t bin_t:lnk_file read;
allow zarafa_indexer_t fonts_cache_t:dir search;
allow zarafa_indexer_t fonts_cache_t:file { read getattr open };
allow zarafa_indexer_t fonts_t:dir { getattr search };
allow zarafa_indexer_t shell_exec_t:file { read execute open getattr execute_no_trans };
allow zarafa_indexer_t tmp_t:dir { write rmdir read remove_name create add_name };
#!!!! The source type 'zarafa_indexer_t' can write to a 'file' of the following types:
# zarafa_indexer_var_run_t, zarafa_indexer_log_t, root_t
allow zarafa_indexer_t tmp_t:file { write getattr read create unlink open };
allow zarafa_indexer_t usr_t:file { ioctl execute read open getattr execute_no_trans };
#!!!! The source type 'zarafa_indexer_t' can write to a 'dir' of the following types:
# zarafa_indexer_var_run_t, var_run_t, zarafa_indexer_log_t, var_log_t, root_t
allow zarafa_indexer_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'zarafa_indexer_t' can write to a 'file' of the following types:
# zarafa_indexer_var_run_t, zarafa_indexer_log_t, root_t
allow zarafa_indexer_t var_lib_t:file { rename write getattr read create unlink open };
#============= zarafa_spooler_t ==============
allow zarafa_spooler_t random_device_t:chr_file read;
[root@luther ~]#
AFTER reporting the previous comment I run (just to be sure) restorecon -v -R /var and got many many many lines like restorecon reset /var/lib/zarafa/3/15/5353.gz context system_u:object_r:zarafa_var_lib_t:s0->system_u:object_r:var_lib_t:s0 and I have zarafa module loaded [root@luther ~]# semodule -l |grep zarafa zarafa 1.2.1 [root@luther ~]# which has line in zarafa.fc /var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) (that's probably wrong RE, isn't? Why that dash there? Shouldn't it be just /var/lib/zarafa.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) There are these two directories in /var/lib related to Zarafa: [root@luther zarafa]# ls -ldZ /var/lib/zarafa* drwxr-xr-x. zarafa zarafa system_u:object_r:var_lib_t:s0 /var/lib/zarafa drwxr-xr-x. apache apache system_u:object_r:zarafa_var_lib_t:s0 /var/lib/zarafa-webaccess [root@luther zarafa]# A fix was added. Will be in the next build. |