Bug 625340 – Zimbra desktop 2 beta 4 doesn't start if enforcing=1

Bug 625340 - Zimbra desktop 2 beta 4 doesn't start if enforcing=1

Summary:	Zimbra desktop 2 beta 4 doesn't start if enforcing=1

Status:	CLOSED CANTFIX

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	13
Hardware:	i386 Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-08-19 02:24 EDT by Pablo Iranzo Gómez
Modified:	2010-09-20 07:43 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-08-23 13:33:42 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pablo Iranzo Gómez 2010-08-19 02:24:02 EDT

Description of problem:

Zimbra desktop 2 beta 4 doesn't start on computer, you get the prism window, but after lots of time, it fails


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.7.19-47.fc13.noarch

How reproducible:

Start zimbra desktop and wait to fail
  
Actual results:
Zimbra doesn't start

Expected results:
Zimbra should start as it does with 'setenforce 0'

Additional info:
This is setroubleshoot alert 'copy to clipboard' contents:


Resúmen:

SELinux está negando a /opt/zimbra/zdesktop/linux/prism/zdclient "execmod"
acceder a /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so.

Descripción Detallada:

[SELinux esta en modo permisivo. Este acceso no fue denegado.]

SELinux denied access requested by /opt/zimbra/zdesktop/linux/prism/zdclient.
/opt/zimbra/zdesktop/linux/prism/zdclient is mislabeled.
/opt/zimbra/zdesktop/linux/prism/zdclient default SELinux type is usr_t, but its
current type is usr_t. Changing this file back to the default type, may fix your
problem.

If you believe this is a bug, please file a bug report against this package.

Permitiendo Acceso:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'.

Comando para Corregir:

/sbin/restorecon '/opt/zimbra/zdesktop/linux/prism/zdclient'

Información Adicional:

Contexto Fuente               unconfined_u:unconfined_r:unconfined_t:s0
Contexto Destino              system_u:object_r:lib_t:s0
Objetos Destino               /opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.
                              so [ file ]
Fuente                        zdclient
Dirección de Fuente          /opt/zimbra/zdesktop/linux/prism/zdclient
Puerto                        <Desconocido>
Nombre de Equipo              mine
Paquetes RPM Fuentes          
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.7.19-47.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              restore_source_context
Nombre de Equipo              mine
Plataforma                    Linux mine
                              2.6.33.6-147.2.4.fc13.i686 #1 SMP Fri Jul 23
                              17:27:40 UTC 2010 i686 i686
Cantidad de Alertas           3
Visto por Primera Vez         mié 18 ago 2010 08:10:49 CEST
Visto por Última Vez         jue 19 ago 2010 08:18:16 CEST
ID Local                      e3b7374f-e324-4b62-957a-549c59a4c7ec
Números de Línea            

Mensajes de Auditoría Crudos 

node=mine type=AVC msg=audit(1282198696.317:57): avc:  denied  { execmod } for  pid=4558 comm="zdclient" path="/opt/zimbra/zdesktop/linux/prism/xulrunner/libxul.so" dev=dm-1 ino=485003 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=mine type=SYSCALL msg=audit(1282198696.317:57): arch=40000003 syscall=125 success=yes exit=0 a0=d86000 a1=1195000 a2=5 a3=bf8cdc80 items=0 ppid=1 pid=4558 auid=11356 uid=11356 gid=11356 euid=11356 suid=11356 fsuid=11356 egid=11356 sgid=11356 fsgid=11356 tty=(none) ses=2 comm="zdclient" exe="/opt/zimbra/zdesktop/linux/prism/zdclient" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)

Comment 1 Daniel Walsh 2010-08-23 13:33:42 EDT

The alert tells you what to do, or you can turn this check off altogether.

# setsebool -P allow_execmod 1

Comment 2 Pablo Iranzo Gómez 2010-08-24 02:32:47 EDT

Daniel, I've opened the bug because in the past, an updated policy fixed alerts for previous betas (afaik it was on F13 alpha).

Should I report it against Zimbra product bugzilla?

Thanks
Pablo

Comment 3 Daniel Walsh 2010-08-24 10:30:40 EDT

I guess if they used the standard location it would have worked.

Then it would have gotten the correct context.

> rpm -qf /usr/lib64/xulrunner-1.9.2/libxul.so
xulrunner-1.9.2.4-1.fc14.x86_64

And this version is built correctly not requiring the execmod.

ls -lZ /usr/lib64/xulrunner-1.9.2/libxul.so
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       /usr/lib64/xulrunner-1.9.2/libxul.so

Comment 4 Pablo Iranzo Gómez 2010-09-20 03:53:50 EDT

Opened the bug in Zimbra bugzilla as:

https://bugzilla.zimbra.com/show_bug.cgi?id=50815

Thanks

Comment 5 Pablo Iranzo Gómez 2010-09-20 07:43:28 EDT

Bug 'fixed' on Zimbra desktop as per:

https://bugzilla.zimbra.com/show_bug.cgi?id=50394

Thanks
Pablo

Note You need to log in before you can comment on or make changes to this bug.