Bug 1014408 - [PATCH] add SELinux policy and httpd configuration improvements for radicale
[PATCH] add SELinux policy and httpd configuration improvements for radicale
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Juan Orti
Fedora Extras Quality Assurance
:
Depends On: 999584
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-01 18:53 EDT by William Brown
Modified: 2015-09-11 08:53 EDT (History)
7 users (show)

See Also:
Fixed In Version: radicale-0.8-5.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-13 22:37:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to be applied to fedpkg git for selinux and httpd improvements. (13.67 KB, patch)
2013-10-01 18:53 EDT, William Brown
no flags Details | Diff
Httpd patch (1.73 KB, patch)
2013-10-02 09:33 EDT, William Brown
no flags Details | Diff
Selinux patch (12.23 KB, patch)
2013-10-02 09:33 EDT, William Brown
no flags Details | Diff

  None (edit)
Description William Brown 2013-10-01 18:53:04 EDT
Created attachment 806189 [details]
Patch to be applied to fedpkg git for selinux and httpd improvements.

Description of problem:
Out of the box, radicale runs as an unconfined domain. Additionally, the shipped httpd configuration has many subtle issues that prevent easily changing between httpd and radicale's daemon. Finally, httpd's selinux policy may conflict with radicale.

This patch (can be applied to fedpkg) adds selinux policy to config radicale to a domain (radicale_t), as well as adding etc types, log type and file types for collections or the sqlite db. Additionally, it adds a boolean allowing httpd rw access to radicale content. The httpd configuration now omits the wsgi lines, as these come with mod wsgi. The wsgi process is run as the radicale user, to prevent changing DAC permissions on the fs. The directory directive was changed to a location, to better suit the WSGI process. 


What this patch doesn't provide:

SElinux policy to allow the radicale daemon to connect to SQL or LDAP. 

When running in WSGI mode, the radicale server is running as httpd_t, so the existing booleans for SQL and LDAP here cover that use case.
Comment 1 Till Maas 2013-10-02 06:26:19 EDT
IMHO the selinux enhancements should be added to the default selinux policy. Or is there a good reason not to do this?

@William:
Can you please open a separate patch for the httpd improvements? Can you please explain these changes to the httpd config file, you do not mention them in the bug description:

-#            Require local
+#            # Require local
 #        </IfModule>
 #        <IfModule !mod_authz_core.c>
 #            # Apache 2.2
@@ -27,6 +27,7 @@
 #        </IfModule>
 #
 #        ## You may want to use apache's authentication
+#        AuthBasicProvider file
Comment 2 William Brown 2013-10-02 09:29:02 EDT
Normally policy when first developed, should go in a package specific module (Or the package itself). Once it's stabilised and improved, then it's generally put into the reference policy. Given I wrote it less than 24 hours ago, i think it best to keep it separate for now in case it needs improvement, over haul etc. 

I was using this module with apache24 on f19. The changes you note, Require local, can probably be uncommented if you want (Rather, ignored). It somewhat doesn't make sense to double block a user from accessing the service given out of the box, iptables blocks 80,443, and that the configuration is commented out anyway. It's another "step" for a user to need to reconfigure. (This is a minor issue)

AuthBasicProvider file can likely be removed also: I was used to it needing to be specified, and think it good practice to be specific. I just double checked and found that it is the default anyway.
Comment 3 William Brown 2013-10-02 09:33:22 EDT
Created attachment 806479 [details]
Httpd patch
Comment 4 William Brown 2013-10-02 09:33:57 EDT
Created attachment 806480 [details]
Selinux patch
Comment 5 Juan Orti 2013-10-03 06:40:28 EDT
I have merged the httpd config changes, adding a umask value to the process. I have also removed the whole block of network access rules, as it makes little sense.

About the SELinux rules, they look ok for me, but I'll wait to hear what the SELinux experts have to say about them.
Comment 6 Daniel Walsh 2013-10-04 11:09:08 EDT
Policy looks good to us.
Comment 7 Fedora Update System 2013-10-07 04:06:29 EDT
radicale-0.8-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/radicale-0.8-4.fc20
Comment 8 Fedora Update System 2013-10-07 11:45:01 EDT
Package radicale-0.8-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing radicale-0.8-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-18460/radicale-0.8-4.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-11-08 16:48:41 EST
radicale-0.8-5.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/radicale-0.8-5.fc20
Comment 10 Fedora Update System 2013-11-13 22:37:30 EST
radicale-0.8-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Adam Williamson 2015-08-29 16:06:00 EDT
So radicale's SELinux policy still seems to be shipping in a separate package; should it be merged into policy-targeted by now?
Comment 12 Miroslav Grepl 2015-08-31 07:56:30 EDT
(In reply to Adam Williamson from comment #11)
> So radicale's SELinux policy still seems to be shipping in a separate
> package; should it be merged into policy-targeted by now?

Is there a problem with that? I don't have a problem to ship in Fedora but there needs to be a request for it.
Comment 13 Adam Williamson 2015-08-31 12:05:13 EDT
eh, I wouldn't say it's really a problem, it just seemed like we kinda had a policy of rolling everything up into the central package. It did confuse me for a bit because radicale doesn't require radicale-selinux, so until I realized I needed to install the subpackage I couldn't get it to work with selinux.
Comment 14 Juan Orti 2015-09-01 11:04:33 EDT
(In reply to Miroslav Grepl from comment #12)
> Is there a problem with that? I don't have a problem to ship in Fedora but
> there needs to be a request for it.

How should I request it? opening a bug to policy-targeted?
Comment 15 Daniel Walsh 2015-09-07 07:59:00 EDT
I would say this is a bug in radicale, it should require the radicale selinux policy.

We want to encourage apps to ship their own policy especially going forward with the improvements in the SELinux tool chain.  I would like to get policies reviewed and they could be stored in the upstream git, but we really want to start to shrink the size of policy by not installing it if it is not needed.
Comment 16 Miroslav Grepl 2015-09-11 08:43:09 EDT
Ok if there is radical-selinux.rpm with policy, then it should be required by radicale. 

My point is we can store policy files in fedora-selinux github and these sources can be used by a packages which shipped own policy. We really need to be sure these policies are upstreamable. Also there are some policy language limitations if they are outside of the distro policy (see docker.te and mainly *_stub() calling).

The biggest point is we can use module priorities

https://mgrepl.wordpress.com/2015/07/31/cil-part2-module-priorities/

and start to think about profiling. Something what we have for selinux-policy-minimum.
Comment 17 Juan Orti 2015-09-11 08:53:02 EDT
(In reply to Miroslav Grepl from comment #16)
> Ok if there is radical-selinux.rpm with policy, then it should be required
> by radicale. 

Hi, I've submitted this update requiring radicale-selinux:
https://bodhi.fedoraproject.org/updates/FEDORA-2015-15287

I think the policy is enough tested to be pushed to everyone.

Note You need to log in before you can comment on or make changes to this bug.