1208298 – After updating to EL 7.1 roundcube package won't work with selinux enabled

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1208298 - After updating to EL 7.1 roundcube package won't work with selinux enabled

Summary: After updating to EL 7.1 roundcube package won't work with selinux enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Simon Sekidde
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-01 21:52 UTC by Scott Dowdle
Modified:	2015-11-19 10:30 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.13.1-25.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:30:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Scott Dowdle 2015-04-01 21:52:49 UTC

roundcubemail was working until I upgraded my host from CentOS 7-1503 (7.1). I get an authentication error... until I turn off SELinux and then it works.

Here's the error I get in /var/log/roundcubemail/errors when selinux is in enforcing mode:

[01-Apr-2015 15:23:51 -0600]: <d3m7ppi4> DB Error: [8] attempt to write a readonly database (SQL Query: DELETE FROM "session" WHERE "sess_id" = 'd3m7ppi4t9vtuofs4dd8ina6j0') in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login)
[01-Apr-2015 15:23:52 -0600]: <d3m7ppi4> DB Error: [8] attempt to write a readonly database (SQL Query: UPDATE "users" SET "last_login" = datetime('now') WHERE "user_id" = '1') in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login)
[01-Apr-2015 15:23:52 -0600]: <l9pucoa9> DB Error: [8] attempt to write a readonly database (SQL Query: INSERT INTO "session" ("sess_id", "vars", "ip", "created", "changed") VALUES ('l9pucoa9fbjobe5fivcvg6c1u1', 'bGFuZ3VhZ2V8czo1OiJlbl9VUyI7c2tpbnxzOjU6ImxhcnJ5IjtpbWFwX25hbWVzcGFjZXxhOjQ6e3M6ODoicGVyc29uYWwiO2E6MTp7aTowO2E6Mjp7aTowO3M6MDoiIjtpOjE7czoxOiIvIjt9fXM6NToib3RoZXIiO047czo2OiJzaGFyZWQiO047czo2OiJwcmVmaXgiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjt1c2VyX2lkfHM6MToiMSI7dXNlcm5hbWV8czo3OiJzZG93ZGxlIjtzdG9yYWdlX2hvc3R8czoxOToiZXN1cy5jcy5tb250YW5hLmVkdSI7c3RvcmFnZV9wb3J0fGk6OTkzO3N0b3JhZ2Vfc3NsfHM6Mzoic3NsIjtwYXNzd29yZHxzOjMyOiI0eWNPNUJLbUFtQVRDbUMvOGVDcnplR2FXVWNDTlYwaSI7bG9naW5fdGltZXxpOjE0Mjc5MjM0MzI7dGltZXpvbmV8czoxNDoiQW1lcmljYS9EZW52ZXIiO1NUT1JBR0VfU1BFQ0lBTC1VU0V8YjowOw==', '153.90.195.54', datetime('now'), datetime('now'))) in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (POST /mail/?_task=login?_task=login&_action=login)
[01-Apr-2015 15:23:52 -0600]: <l9pucoa9> DB Error: [8] attempt to write a readonly database (SQL Query: INSERT INTO "session" ("sess_id", "vars", "ip", "created", "changed") VALUES ('l9pucoa9fbjobe5fivcvg6c1u1', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=', '153.90.195.54', datetime('now'), datetime('now'))) in /usr/share/roundcubemail/program/lib/Roundcube/rcube_db.php on line 541 (GET /mail/?_task=mail)

Basically it can't write to the database file... which I think is /var/lib/roundcubemail/sqlite.db

If I put selinux in permissive mode then it works.

Perhaps there is an sebool for it but if so, I haven't figured out which one.  here's what "getsebool -a | grep httpd" shows:

httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> on
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> on
httpd_use_openstack --> off
httpd_use_sasl --> on
httpd_verify_dns --> off

I've configured roundcubemail to authenticating via imap to another machine on the same LAN.

Comment 1 Scott Dowdle 2015-04-01 22:08:49 UTC

Here's what it shows in the /var/log/audit.log

type=AVC msg=audit(1427924537.536:1669): avc:  denied  { write } for  pid=2397 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1427924538.825:1670): avc:  denied  { write } for  pid=2397 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1427924549.478:1671): avc:  denied  { write } for  pid=2396 comm="httpd" name="sqlite.db" dev="vda1" ino=403425494 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

Comment 2 Scott Dowdle 2015-04-01 22:27:06 UTC

To fix it I had to run the two following commands recommended by sealert

semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/roundcubemail/sqlite.db'

restorecon -v '/var/lib/roundcubemail/sqlite.db'

Comment 3 Scott Dowdle 2015-04-01 23:46:11 UTC

randomuser in IRC suggested the following probably would have worked:

restorecon -R /var/lib/roundcubemail/

Having already fixed it the way I did, I can't verify that... and I'm not going to break it in some way to test it. :)

If that is true, that means that an update to the roundcubemail package isn't needed... and that a clean install where a fresh sqlite.db file is created will probably work without issue.  That is to say that our guess is that the SELinux policy changed and just refreshing the context of my pre-existing file might have fixed it.

Anyway...

Comment 4 Orion Poplawski 2015-04-02 14:21:38 UTC

It seems there are other files kept there as well:

type=AVC msg=audit(1427977409.112:3854626): avc:  denied  { unlink } for  pid=11532 comm="httpd" name="453f2473e97e0ad0f2e69d1736e920f4.octet-stream" dev="sda1" ino=268428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1427977409.112:3854627): avc:  denied  { unlink } for  pid=11532 comm="httpd" name="c1fcbed2b440847f48f2ce7275e85944.png" dev="sda1" ino=268586 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

ls -lZa /var/lib/roundcubemail/
drwxrwxr-x. root   apache system_u:object_r:var_lib_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-------. apache apache system_u:object_r:var_lib_t:s0   12d7a93b29427fc530a3986a2ac9e5ea.jpeg
-rw-------. apache apache system_u:object_r:var_lib_t:s0   15269169bba300541a7fdc68a45825b6.png
....

restorecon resets to var_lib_t, so that doesn't work.  I think you want:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/roundcubemail(/.*)?'

restorecon -r /var/lib/roundcubemail

Comment 6 Milos Malik 2015-04-02 15:11:56 UTC

Could you attach the list SELinux denials which appear in enforcing mode? Could you re-run your scenario in permissive mode and collect the denials as well?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 7 Scott Dowdle 2015-04-02 15:55:12 UTC

I'm not getting any errors.  The ausearch recommended in comment 6 shows nothing and that is with selinux in enforcing mode.

So, to the best of my knowledge, it isn't broken anymore and there isn't any data to gather.

Comment 8 Orion Poplawski 2015-04-02 16:24:41 UTC

I'm not able to reproduce this very well.  I do note that when you attach a file to an email in roundcube mail it creates a file in /var/lib/roundcubemail with context httpd_var_lib_t.  Perhaps something is coming along later and relabelling some files back to var_lib_t?

Comment 9 Milos Malik 2015-04-02 16:36:34 UTC

It happens automatically.

# matchpathcon /var/lib/roundcubemail
/var/lib/roundcubemail	system_u:object_r:var_lib_t:s0
#

Following rule says: if a process running as httpd_t creates a file or a directory under /var/lib/roundcubemail directory then the new object gets httpd_var_lib_t label.

# sesearch -s httpd_t -t var_lib_t -T
Found 2 semantic te rules:
   type_transition httpd_t var_lib_t : file httpd_var_lib_t; 
   type_transition httpd_t var_lib_t : dir httpd_var_lib_t; 

#

Comment 10 Orion Poplawski 2015-04-02 17:04:06 UTC

Right, but I was wondering what had set the labels on the file back to var_lib_t?  Anything in an update?  My running restorecon -r /var at some point?  At that point then it seems that roundcubemail cannot delete the files.

Not sure how Scott's sqlite.db file ended up as httpd_sys_content_t.

Comment 15 errata-xmlrpc 2015-11-19 10:30:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.