Bug 625340

Summary: Zimbra desktop 2 beta 4 doesn't start if enforcing=1
Product: [Fedora] Fedora Reporter: Pablo Iranzo Gómez <pablo.iranzo>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: 13   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-23 17:33:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Iranzo Gómez 2010-08-19 06:24:02 UTC 
Description of problem:

Zimbra desktop 2 beta 4 doesn't start on computer, you get the prism window, but after lots of time, it fails


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-47.fc13.noarch

How reproducible:

Start zimbra desktop and wait to fail
  
Actual results:
Zimbra doesn't start

Expected results:
Zimbra should start as it does with 'setenforce 0'

Additional info:
This is setroubleshoot alert 'copy to clipboard' contents:


Resúmen:

SELinux está negando a /opt/zimbra/zdesktop/linux/prism/zdclient "execmod"
acceder a /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so.

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux denied access requested by /opt/zimbra/zdesktop/linux/prism/zdclient.
/opt/zimbra/zdesktop/linux/prism/zdclient is mislabeled.
/opt/zimbra/zdesktop/linux/prism/zdclient default SELinux type is usr_t, but its
current type is usr_t. Changing this file back to the default type, may fix your
problem.

If you believe this is a bug, please file a bug report against this package.

Permitiendo Acceso:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'.

Comando para Corregir:

/sbin/restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'

Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:unconfined_t:s0
Contexto Destino              system_u:object_r:lib_t:s0
Objetos Destino               /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.
                              so [ file ]
Fuente                        zdclient
Dirección de Fuente          /opt/zimbra/zdesktop/linux/prism/zdclient
Puerto                        <Desconocido>
Nombre de Equipo              mine
Paquetes RPM Fuentes          
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.7.19-47.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              restore_source_context
Nombre de Equipo              mine
Plataforma                    Linux mine
                              2.6.33.6-147.2.4.fc13.i686 #1 SMP Fri Jul 23
                              17:27:40 UTC 2010 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         mié 18 ago 2010 08:10:49 CEST
Visto por Última Vez         jue 19 ago 2010 08:18:16 CEST
ID Local                      e3b7374f-e324-4b62-957a-549c59a4c7ec
Números de Línea            

Mensajes de Auditoría Crudos 

node=mine type=AVC msg=audit(1282198696.317:57): avc:  denied  { execmod } for  pid=4558 comm="zdclient" path="/opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so" dev=dm-1 ino=485003 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=mine type=SYSCALL msg=audit(1282198696.317:57): arch=40000003 syscall=125 success=yes exit=0 a0=d86000 a1=1195000 a2=5 a3=bf8cdc80 items=0 ppid=1 pid=4558 auid=11356 uid=11356 gid=11356 euid=11356 suid=11356 fsuid=11356 egid=11356 sgid=11356 fsgid=11356 tty=(none) ses=2 comm="zdclient" exe="/opt/zimbra/zdesktop/linux/prism/zdclient" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
Comment 1 Daniel Walsh 2010-08-23 17:33:42 UTC 
The alert tells you what to do, or you can turn this check off altogether.

# setsebool -P allow_execmod 1
Comment 2 Pablo Iranzo Gómez 2010-08-24 06:32:47 UTC 
Daniel, I've opened the bug because in the past, an updated policy fixed alerts for previous betas (afaik it was on F13 alpha).

Should I report it against Zimbra product bugzilla?

Thanks
Pablo
Comment 3 Daniel Walsh 2010-08-24 14:30:40 UTC 
I guess if they used the standard location it would have worked.

Then it would have gotten the correct context.

> rpm -qf /usr/lib64/xulrunner-1.9.2/libxul.so
xulrunner-1.9.2.4-1.fc14.x86_64

And this version is built correctly not requiring the execmod.

ls -lZ /usr/lib64/xulrunner-1.9.2/libxul.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/xulrunner-1.9.2/libxul.so
Comment 4 Pablo Iranzo Gómez 2010-09-20 07:53:50 UTC 
Opened the bug in Zimbra bugzilla as:

https://bugzilla.zimbra.com/show_bug.cgi?id=50815

Thanks
Comment 5 Pablo Iranzo Gómez 2010-09-20 11:43:28 UTC 
Bug 'fixed' on Zimbra desktop as per:

https://bugzilla.zimbra.com/show_bug.cgi?id=50394

Thanks
Pablo