Bug 890919
| Summary: | zarafa policy seems to still be missing a few things | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Erik M Jacobs <ejacobs> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.8 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-03-13 13:38:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you attach AVC msgs for these rules? Thank you. Sorry that this took me forever.
[root /usr/share/selinux]$ ausearch -m avc -ts 01/28/2013 02:03:00
----
time->Mon Jan 28 02:03:34 2013
type=SYSCALL msg=audit(1359338614.861:19724): arch=c000003e syscall=59 success=yes exit=0 a0=2b9107c8a910 a1=2b9107c8a980 a2=2b9107c8a820 a3=0 items=0 ppid=29672 pid=29673 auid=501 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=93 comm="zarafa-dagent" exe="/usr/bin/zarafa-dagent" subj=user_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1359338614.861:19724): avc: denied { read } for pid=29673 comm="pipe" path="/usr/bin/zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
type=AVC msg=audit(1359338614.861:19724): avc: denied { execute_no_trans } for pid=29673 comm="pipe" path="/usr/bin/zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
type=AVC msg=audit(1359338614.861:19724): avc: denied { execute } for pid=29673 comm="pipe" name="zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
----
time->Mon Jan 28 02:03:34 2013
type=SYSCALL msg=audit(1359338614.990:19725): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff911e9840 a2=6e a3=1 items=0 ppid=29672 pid=29673 auid=501 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=93 comm="zarafa-dagent" exe="/usr/bin/zarafa-dagent" subj=user_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1359338614.990:19725): avc: denied { connectto } for pid=29673 comm="zarafa-dagent" path="/var/run/zarafa" scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=user_u:system_r:zarafa_server_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1359338614.990:19725): avc: denied { write } for pid=29673 comm="zarafa-dagent" name="zarafa" dev=dm-0 ino=385461 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:zarafa_server_var_run_t:s0 tclass=sock_file
This one issue should be fixed in RHEL-6 therefore I am closing the bug as NEXTRELEASE. |
Description of problem: Installed the latest selinux policy, and zarafa seems to still be missing a few things. Version-Release number of selected component (if applicable): 2.4.6-327.el5 How reproducible: 100% Steps to Reproduce: 1. Install 2.4.6-327.el5 2. Do stuff with Zarafa 3. Actual results: audit2allow output: #============= postfix_pipe_t ============== allow postfix_pipe_t zarafa_deliver_exec_t:file { read execute execute_no_trans }; allow postfix_pipe_t zarafa_server_t:unix_stream_socket connectto; allow postfix_pipe_t zarafa_server_var_run_t:sock_file write; Expected results: Zarafa should not have issues. Additional info: I see there are some booleans, but the only one that makes sense is: zarafa_deliver_disable_trans --> off With it set to "on" (which doesn't make sense), I still have the same issues. Please let me know what other information is required.