Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1221587

Summary: Prosody SELinux policy
Product: Red Hat Enterprise Linux 7 Reporter: Laurent Wandrebeck <l.wandrebeck>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.1CC: baptiste.peugnez, g.fhnrunznrqeqf, lvrabec, l.wandrebeck, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-32.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:33:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
grep denied /var/log/audit/audit.log none

Description Laurent Wandrebeck 2015-05-14 12:08:40 UTC 
Created attachment 1025363 [details]
grep denied /var/log/audit/audit.log

Description of problem:

Several avc:denied when running Prosody 0.9.8-1.el7 from epel-testing

Version-Release number of selected component (if applicable):

Prosody 0.9.8-1.el7
selinux-policy 3.13.1-23.el7_1.7

(running CentOS 7-1503 fully up to date).

How reproducible:


(configure the service)
systemctl start prosody

Steps to Reproduce:
1. yum install prosody --enablerepo=epel-testing
2. (configure the service - running with PostgreSQL as a backend here)
3. systemctl start prosody

Actual results:

SELinux prevents certains operations to get prosody running.

Expected results:

SELinux let Prosody runs normally.

Additional info:

.te file coming from audit2allow

module myprosody 1.0;

require {
	type var_log_t;
	type postgresql_port_t;
	type prosody_t;
	class capability { dac_read_search dac_override };
	class tcp_socket name_connect;
	class file { read create open };
	class dir { write add_name };
}

#============= prosody_t ==============
allow prosody_t postgresql_port_t:tcp_socket name_connect;

allow prosody_t self:capability { dac_read_search dac_override };

allow prosody_t var_log_t:dir { write add_name };

allow prosody_t var_log_t:file { read create open };

Please note that fw is still closed for Prosody, so additionnal rules may be necessary once server goes to prod.
Comment 2 Robert Scheck 2015-05-14 15:02:38 UTC 
Prosody must be able to handle its log files in /var/log/prosody/*,
prosody might connect to PostgreSQL or MySQL via unix socket or TCP.
Comment 3 Miroslav Grepl 2015-05-25 11:37:35 UTC 
I see dac_override. So it means we have a different process vs. log_file owner.
Comment 4 Robert Scheck 2015-05-25 13:30:44 UTC 
Prosody process should run as user "prosody", directory /var/log/prosody/
should be prosody:prosody, same for log files. Laurent, can you cross-check
your setup, please?

Miroslav: Prosody drops its privileges itself - could that cause the issue,
if it already writes a log line before?
Comment 5 Laurent Wandrebeck 2015-05-25 19:04:20 UTC 
[root@bla ~]# ps aux | grep prosody
prosody  15000  0.0  0.0 115260  6972 ?        S    20:16   0:00 lua /usr/lib64/prosody/../../bin/prosody

[root@minicloud ~]# ll /var/log/
drwxr-x---. 2 prosody   prosody          4096 May 24 09:04 prosody
Comment 6 Miroslav Grepl 2015-06-03 07:33:22 UTC 
(In reply to Robert Scheck from comment #4)
> Prosody process should run as user "prosody", directory /var/log/prosody/
> should be prosody:prosody, same for log files. Laurent, can you cross-check
> your setup, please?
> 
> Miroslav: Prosody drops its privileges itself - could that cause the issue,
> if it already writes a log line before?

Yes. In this case, we need to add dac_override.
Comment 7 Lukas Vrabec 2015-07-02 11:32:28 UTC 
commit 37b15993bcdc846afb030bbb8c0fcc19b64a1c61
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:28:44 2015 +0200

    Allow prosody connect to postgresql port.
    
    Allow prosody create prosody_log_t dirs/files.
    
    Allow prosody dac_override cap.

Added fixes to F22.
I'll add fixes also to RHEL7.2
Comment 8 Robert Scheck 2015-07-02 11:36:56 UTC 
Awesome. Is there already a 7.2 tree that a Red Hat partner is able to access
to test the whole combination (not just the policy) with Prosody?
Comment 9 Lukas Vrabec 2015-07-09 11:10:12 UTC 
commit 3b8100ace47fa4e326b79b5e0fa24e68f6d643bc
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 2 13:34:56 2015 +0200

    Fix interface corenet_tcp_connect_postgresql_port_port(prosody_t)
Comment 13 errata-xmlrpc 2015-11-19 10:33:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html