1221587 – Prosody SELinux policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1221587 - Prosody SELinux policy

Summary: Prosody SELinux policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-14 12:08 UTC by Laurent Wandrebeck
Modified:	2015-11-19 10:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.13.1-32.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:33:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
grep denied /var/log/audit/audit.log (34.28 KB, text/plain) 2015-05-14 12:08 UTC, Laurent Wandrebeck	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Laurent Wandrebeck 2015-05-14 12:08:40 UTC

Created attachment 1025363 [details]
grep denied /var/log/audit/audit.log

Description of problem:

Several avc:denied when running Prosody 0.9.8-1.el7 from epel-testing

Version-Release number of selected component (if applicable):

Prosody 0.9.8-1.el7
selinux-policy 3.13.1-23.el7_1.7

(running CentOS 7-1503 fully up to date).

How reproducible:


(configure the service)
systemctl start prosody

Steps to Reproduce:
1. yum install prosody --enablerepo=epel-testing
2. (configure the service - running with PostgreSQL as a backend here)
3. systemctl start prosody

Actual results:

SELinux prevents certains operations to get prosody running.

Expected results:

SELinux let Prosody runs normally.

Additional info:

.te file coming from audit2allow

module myprosody 1.0;

require {
	type var_log_t;
	type postgresql_port_t;
	type prosody_t;
	class capability { dac_read_search dac_override };
	class tcp_socket name_connect;
	class file { read create open };
	class dir { write add_name };
}

#============= prosody_t ==============
allow prosody_t postgresql_port_t:tcp_socket name_connect;

allow prosody_t self:capability { dac_read_search dac_override };

allow prosody_t var_log_t:dir { write add_name };

allow prosody_t var_log_t:file { read create open };

Please note that fw is still closed for Prosody, so additionnal rules may be necessary once server goes to prod.

Comment 2 Robert Scheck 2015-05-14 15:02:38 UTC

Prosody must be able to handle its log files in /var/log/prosody/*,
prosody might connect to PostgreSQL or MySQL via unix socket or TCP.

Comment 3 Miroslav Grepl 2015-05-25 11:37:35 UTC

I see dac_override. So it means we have a different process vs. log_file owner.

Comment 4 Robert Scheck 2015-05-25 13:30:44 UTC

Prosody process should run as user "prosody", directory /var/log/prosody/
should be prosody:prosody, same for log files. Laurent, can you cross-check
your setup, please?

Miroslav: Prosody drops its privileges itself - could that cause the issue,
if it already writes a log line before?

Comment 5 Laurent Wandrebeck 2015-05-25 19:04:20 UTC

[root@bla ~]# ps aux | grep prosody
prosody  15000  0.0  0.0 115260  6972 ?        S    20:16   0:00 lua /usr/lib64/prosody/../../bin/prosody

[root@minicloud ~]# ll /var/log/
drwxr-x---. 2 prosody   prosody          4096 May 24 09:04 prosody

Comment 6 Miroslav Grepl 2015-06-03 07:33:22 UTC

(In reply to Robert Scheck from comment #4)
> Prosody process should run as user "prosody", directory /var/log/prosody/
> should be prosody:prosody, same for log files. Laurent, can you cross-check
> your setup, please?
> 
> Miroslav: Prosody drops its privileges itself - could that cause the issue,
> if it already writes a log line before?

Yes. In this case, we need to add dac_override.

Comment 7 Lukas Vrabec 2015-07-02 11:32:28 UTC

commit 37b15993bcdc846afb030bbb8c0fcc19b64a1c61
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:28:44 2015 +0200

    Allow prosody connect to postgresql port.
    
    Allow prosody create prosody_log_t dirs/files.
    
    Allow prosody dac_override cap.

Added fixes to F22.
I'll add fixes also to RHEL7.2

Comment 8 Robert Scheck 2015-07-02 11:36:56 UTC

Awesome. Is there already a 7.2 tree that a Red Hat partner is able to access
to test the whole combination (not just the policy) with Prosody?

Comment 9 Lukas Vrabec 2015-07-09 11:10:12 UTC

commit 3b8100ace47fa4e326b79b5e0fa24e68f6d643bc
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:34:56 2015 +0200

    Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)

Comment 13 errata-xmlrpc 2015-11-19 10:33:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.