Bug 625340 - Zimbra desktop 2 beta 4 doesn't start if enforcing=1
Summary: Zimbra desktop 2 beta 4 doesn't start if enforcing=1
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 13
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-19 06:24 UTC by Pablo Iranzo Gómez
Modified: 2010-09-20 11:43 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-23 17:33:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Pablo Iranzo Gómez 2010-08-19 06:24:02 UTC
Description of problem:

Zimbra desktop 2 beta 4 doesn't start on computer, you get the prism window, but after lots of time, it fails

Version-Release number of selected component (if applicable):


How reproducible:

Start zimbra desktop and wait to fail
Actual results:
Zimbra doesn't start

Expected results:
Zimbra should start as it does with 'setenforce 0'

Additional info:
This is setroubleshoot alert 'copy to clipboard' contents:


SELinux está negando a /opt/zimbra/zdesktop/linux/prism/zdclient "execmod"
acceder a /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so.

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux denied access requested by /opt/zimbra/zdesktop/linux/prism/zdclient.
/opt/zimbra/zdesktop/linux/prism/zdclient is mislabeled.
/opt/zimbra/zdesktop/linux/prism/zdclient default SELinux type is usr_t, but its
current type is usr_t. Changing this file back to the default type, may fix your

If you believe this is a bug, please file a bug report against this package.

Permitiendo Acceso:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'.

Comando para Corregir:

/sbin/restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'

Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:unconfined_t:s0
Contexto Destino              system_u:object_r:lib_t:s0
Objetos Destino               /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.
                              so [ file ]
Fuente                        zdclient
Dirección de Fuente          /opt/zimbra/zdesktop/linux/prism/zdclient
Puerto                        <Desconocido>
Nombre de Equipo              mine
Paquetes RPM Fuentes          
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.7.19-47.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              restore_source_context
Nombre de Equipo              mine
Plataforma                    Linux mine
                     #1 SMP Fri Jul 23
                              17:27:40 UTC 2010 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         mié 18 ago 2010 08:10:49 CEST
Visto por Última Vez         jue 19 ago 2010 08:18:16 CEST
ID Local                      e3b7374f-e324-4b62-957a-549c59a4c7ec
Números de Línea            

Mensajes de Auditoría Crudos 

node=mine type=AVC msg=audit(1282198696.317:57): avc:  denied  { execmod } for  pid=4558 comm="zdclient" path="/opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so" dev=dm-1 ino=485003 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=mine type=SYSCALL msg=audit(1282198696.317:57): arch=40000003 syscall=125 success=yes exit=0 a0=d86000 a1=1195000 a2=5 a3=bf8cdc80 items=0 ppid=1 pid=4558 auid=11356 uid=11356 gid=11356 euid=11356 suid=11356 fsuid=11356 egid=11356 sgid=11356 fsgid=11356 tty=(none) ses=2 comm="zdclient" exe="/opt/zimbra/zdesktop/linux/prism/zdclient" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-08-23 17:33:42 UTC
The alert tells you what to do, or you can turn this check off altogether.

# setsebool -P allow_execmod 1

Comment 2 Pablo Iranzo Gómez 2010-08-24 06:32:47 UTC
Daniel, I've opened the bug because in the past, an updated policy fixed alerts for previous betas (afaik it was on F13 alpha).

Should I report it against Zimbra product bugzilla?


Comment 3 Daniel Walsh 2010-08-24 14:30:40 UTC
I guess if they used the standard location it would have worked.

Then it would have gotten the correct context.

> rpm -qf /usr/lib64/xulrunner-1.9.2/libxul.so

And this version is built correctly not requiring the execmod.

ls -lZ /usr/lib64/xulrunner-1.9.2/libxul.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/xulrunner-1.9.2/libxul.so

Comment 4 Pablo Iranzo Gómez 2010-09-20 07:53:50 UTC
Opened the bug in Zimbra bugzilla as:



Comment 5 Pablo Iranzo Gómez 2010-09-20 11:43:28 UTC
Bug 'fixed' on Zimbra desktop as per:



Note You need to log in before you can comment on or make changes to this bug.