Description of problem: When service jabberd start is run, the four jabberd programs (router, sm, c2s, s2s) are running as initrc_t, not jabberd_t. Version-Release number of selected component (if applicable): # rpm -q jabberd selinux-policy-targeted jabberd-2.2.8-5.fc12.i686 selinux-policy-targeted-3.7.19-49.fc13.noarch # semodule -l | grep jabber jabber 1.8.0 How reproducible: Deterministic. Steps to Reproduce: 1. Install jabberd. 2. Run service jabberd start. 3. Run ps axuwZ | grep jabber Actual results: ps axwuZ | grep jabber unconfined_u:system_r:initrc_t:s0 jabber 23402 4.7 0.1 8496 3140 ? S 09:46 0:00 /usr/bin/router -c /etc/jabberd/router.xml unconfined_u:system_r:initrc_t:s0 jabber 23409 0.0 0.1 10756 3080 ? S 09:46 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:initrc_t:s0 jabber 23416 0.0 0.1 7796 2520 ? S 09:46 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:initrc_t:s0 jabber 23423 0.0 0.0 7772 1724 ? S 09:46 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml Expected results: The type should not be initrc_t, it probably should be jabberd_t. Additional info: The selinux-policy-targeted-3.7.19-49.fc13.noarch (and serefpolicy-3.7.19 in general) specifies file context for /usr/sbin/jabberd but that file does not exist in Fedora 13 (ale likely did not exist in earlier versions). We probably want to label /usr/bin/router /usr/bin/sm /usr/bin/c2s /usr/bin/s2s as these are now the program that are run by /etc/init.d/jabberd.
Sadly, even if I do # for i in router sm c2s s2s ; do chcon -t jabberd_exec_t /usr/bin/$i ; done # service jabberd restart I get AVCs like type=AVC msg=audit(1283155304.333:116926): avc: denied { name_bind } for pid=24007 comm="router" src=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283155304.370:116931): avc: denied { read } for pid=24014 comm="sm" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1283155304.371:116932): avc: denied { read } for pid=24014 comm="sm" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1283155304.372:116933): avc: denied { read } for pid=24014 comm="sm" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1283155304.372:116934): avc: denied { read } for pid=24014 comm="sm" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file type=AVC msg=audit(1283155304.387:116935): avc: denied { name_connect } for pid=24014 comm="sm" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283155304.425:116940): avc: denied { read } for pid=24023 comm="c2s" name="urandom" dev=devtmpfs ino=3984 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1283155304.427:116941): avc: denied { name_connect } for pid=24023 comm="c2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283155304.456:116946): avc: denied { name_connect } for pid=24030 comm="s2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Another AVCs are type=AVC msg=audit(1283157600.284:117254): avc: denied { name_bind } for pid=25026 comm="router" src=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283157600.333:117259): avc: denied { name_connect } for pid=25033 comm="sm" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283157600.333:117260): avc: denied { read } for pid=25026 comm="router" name="urandom" dev=devtmpfs ino=3984 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1283157600.333:117260): avc: denied { open } for pid=25026 comm="router" name="urandom" dev=devtmpfs ino=3984 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1283157600.334:117261): avc: denied { getattr } for pid=25026 comm="router" path="/etc/krb5.conf" dev=dm-1 ino=447640 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=AVC msg=audit(1283157600.334:117262): avc: denied { read } for pid=25026 comm="router" name="krb5.conf" dev=dm-1 ino=447640 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=AVC msg=audit(1283157600.334:117262): avc: denied { open } for pid=25026 comm="router" name="krb5.conf" dev=dm-1 ino=447640 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:krb5_conf_t:s0 tclass=file type=AVC msg=audit(1283157600.334:117263): avc: denied { getattr } for pid=25026 comm="router" path="/dev/urandom" dev=devtmpfs ino=3984 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file type=AVC msg=audit(1283157600.334:117264): avc: denied { create } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.334:117265): avc: denied { bind } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.334:117266): avc: denied { getattr } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.334:117267): avc: denied { write } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.334:117267): avc: denied { nlmsg_read } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.335:117268): avc: denied { read } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=netlink_route_socket type=AVC msg=audit(1283157600.336:117269): avc: denied { search } for pid=25026 comm="router" name="contexts" dev=dm-1 ino=23533 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=AVC msg=audit(1283157600.336:117269): avc: denied { search } for pid=25026 comm="router" name="files" dev=dm-1 ino=23539 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir type=AVC msg=audit(1283157600.336:117270): avc: denied { read } for pid=25026 comm="router" name="file_contexts" dev=dm-1 ino=42075 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1283157600.336:117270): avc: denied { open } for pid=25026 comm="router" name="file_contexts" dev=dm-1 ino=42075 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1283157600.336:117271): avc: denied { getattr } for pid=25026 comm="router" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-1 ino=42075 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1283157600.539:117280): avc: denied { setfscreate } for pid=25026 comm="router" scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=unconfined_u:system_r:jabberd_t:s0 tclass=process
The audit2allow output is: # audit2allow -i /var/log/audit/audit.log #============= jabberd_t ============== allow jabberd_t default_context_t:dir search; allow jabberd_t file_context_t:dir search; allow jabberd_t file_context_t:file { read getattr open }; allow jabberd_t krb5_conf_t:file { read getattr open }; #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow jabberd_t port_t:tcp_socket { name_bind name_connect }; allow jabberd_t proc_t:file { read open }; allow jabberd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow jabberd_t self:process setfscreate; #!!!! This avc can be allowed using the boolean 'global_ssp' allow jabberd_t urandom_device_t:chr_file { read getattr open }; But I don't think I want to allow that allow_ypbind, for example. There's no yellow pages on my system. So maybe component of this bugzilla should be jabberd first, for the jabberd maintainer to first clear any operations that should not be necessary?
Miroslav, we might want to look at splitting these domains apart? Looks like jabberd is doing some kerberos library that is trying to set the label on a cache file?
(In reply to comment #4) > Miroslav, we might want to look at splitting these domains apart? Yes, it looks so. Mainly for /usr/bin/router. I will take care about that. > Looks like jabberd is doing some kerberos library that is trying to set the > label on a cache file?
Jan, could you test it with the "myjabberd" local policy available from git clone git://fedorapeople.org/~mgrepl/test_policy_modules.git After that just run "myjabberd.sh" script. Thanks.
[root@vmware175 test_policy_modules]# ps axuwZ | grep jabber unconfined_u:system_r:initrc_t:s0 jabber 1485 12.2 0.6 8532 3372 ? S 09:21 0:00 /usr/bin/router -c /etc/jabberd/router.xml unconfined_u:system_r:initrc_t:s0 jabber 1492 0.6 0.6 10760 3236 ? S 09:21 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:initrc_t:s0 jabber 1499 0.2 0.5 7800 2616 ? S 09:21 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:initrc_t:s0 jabber 1506 0.2 0.3 7776 1880 ? S 09:21 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1510 0.0 0.1 4312 744 pts/0 S+ 09:21 0:00 grep jabber [root@vmware175 test_policy_modules]# semodule -l | grep jabber jabber 1.8.0 myjabberd 1.0 [root@vmware175 test_policy_modules]# grep AVC /var/log/audit/audit*.log | wc -l 0 [root@vmware175 test_policy_modules]#
Oops. The script did not restorecon the /usr/bin files. After doing that, I get [root@vmware175 test_policy_modules]# ps axuwZ | grep jabber unconfined_u:system_r:jabberd_t:s0 jabber 1583 0.1 0.6 10636 3156 ? S 09:23 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:jabberd_t:s0 jabber 1590 0.0 0.4 7800 2528 ? S 09:23 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:jabberd_t:s0 jabber 1597 0.0 0.3 7652 1824 ? S 09:23 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1605 0.0 0.1 4312 748 pts/0 S+ 09:24 0:00 grep jabber [root@vmware175 test_policy_modules]# grep AVC /var/log/audit/audit*.log type=AVC msg=audit(1283239427.636:114): avc: denied { name_bind } for pid=1576 comm="router" src=5347 scontext=unconfined_u:system_r:jabberd_router_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283239427.756:119): avc: denied { name_connect } for pid=1583 comm="sm" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283239427.802:124): avc: denied { name_connect } for pid=1590 comm="c2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283239427.857:129): avc: denied { name_connect } for pid=1597 comm="s2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket [root@vmware175 test_policy_modules]#
And here's the output for Permissive -- there the router gets started: [root@vmware175 test_policy_modules]# ps axuwZ | grep jabber unconfined_u:system_r:jabberd_router_t:s0 jabber 1694 5.3 0.5 7788 2624 ? S 09:26 0:00 /usr/bin/router -c /etc/jabberd/router.xml unconfined_u:system_r:jabberd_t:s0 jabber 1701 0.2 0.6 10760 3240 ? S 09:26 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:jabberd_t:s0 jabber 1708 0.1 0.5 7800 2616 ? S 09:26 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:jabberd_t:s0 jabber 1715 0.1 0.3 7776 1876 ? S 09:26 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1719 0.0 0.1 4312 744 pts/0 S+ 09:26 0:00 grep jabber [root@vmware175 test_policy_modules]# grep AVC /var/log/audit/audit*.log type=AVC msg=audit(1283239574.179:139): avc: denied { name_bind } for pid=1694 comm="router" src=5347 scontext=unconfined_u:system_r:jabberd_router_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283239574.287:144): avc: denied { name_connect } for pid=1701 comm="sm" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket [root@vmware175 test_policy_modules]#
I was able to get the router running even in enforcing (and without that name_bind error) by doing: /usr/sbin/semanage port -a -t jabber_interserver_port_t -p tcp 5347 || : But the name_connect AVCs are still present: type=AVC msg=audit(1283240078.050:177): avc: denied { name_connect } for pid=1851 comm="sm" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283240078.115:180): avc: denied { name_connect } for pid=1858 comm="c2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1283240078.156:185): avc: denied { name_connect } for pid=1865 comm="s2s" dest=5347 scontext=unconfined_u:system_r:jabberd_t:s0 tcontext=system_u:object_r:jabber_interserver_port_t:s0 tclass=tcp_socket
When I run the thing in permissive, the ports used are [root@vmware175 test_policy_modules]# ps axuwZ | grep jabber | awk '{print $3}' | while read i ; do lsof -np $i ; done | grep TCP router 2014 jabber 5u IPv4 19636 0t0 TCP *:5347 (LISTEN) router 2014 jabber 6u IPv4 19689 0t0 TCP 127.0.0.1:5347->127.0.0.1:38185 (ESTABLISHED) router 2014 jabber 7u IPv4 19743 0t0 TCP 127.0.0.1:5347->127.0.0.1:38186 (ESTABLISHED) router 2014 jabber 8u IPv4 19744 0t0 TCP 127.0.0.1:5347->127.0.0.1:38187 (ESTABLISHED) sm 2021 jabber 5u IPv4 19688 0t0 TCP 127.0.0.1:38185->127.0.0.1:5347 (ESTABLISHED) c2s 2028 jabber 5u IPv4 19712 0t0 TCP 127.0.0.1:38186->127.0.0.1:5347 (ESTABLISHED) c2s 2028 jabber 6u IPv4 19757 0t0 TCP *:xmpp-client (LISTEN) s2s 2035 jabber 6u IPv4 19739 0t0 TCP 127.0.0.1:38187->127.0.0.1:5347 (ESTABLISHED) s2s 2035 jabber 7u IPv4 19758 0t0 TCP *:xmpp-server (LISTEN) [root@vmware175 test_policy_modules]# grep xmpp-client /etc/services xmpp-client 5222/tcp # XMPP Client Connection xmpp-client 5222/udp # XMPP Client Connection [root@vmware175 test_policy_modules]#
Thanks for testing. I fixed the script and set jabberd domains to permissive. I added 'jabber_router_port_t' type for 5347/tcp port in the local policy and also these rules allow jabberd_router_t jabber_router_port_t:tcp_socket name_bind; allow jabberd_t jabber_router_port_t:tcp_socket name_connect; and the script runs /usr/sbin/semanage port -a -t jabber_router_port_t -p tcp 5347
Now the service jabberd start and stop is AVC-clean and the ps shows: unconfined_u:system_r:jabberd_router_t:s0 jabber 5644 8.7 0.5 7788 2624 ? S 10:14 0:00 /usr/bin/router -c /etc/jabberd/router.xml unconfined_u:system_r:jabberd_t:s0 jabber 5651 0.2 0.6 10760 3236 ? S 10:14 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:jabberd_t:s0 jabber 5658 0.1 0.5 7800 2616 ? S 10:14 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:jabberd_t:s0 jabber 5665 0.1 0.3 7776 1884 ? S 10:14 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml Thanks, Jan
Fixed in selinux-policy-3.7.19-53.fc13.
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
Thanks, after upgrade the domains are much better now: # service jabberd start Initializing jabberd processes ... Starting router: [ OK ] Starting sm: [ OK ] Starting c2s: [ OK ] Starting s2s: [ OK ] # ps axuwZ | grep jabber unconfined_u:system_r:jabberd_router_t:s0 jabber 25090 14.6 0.1 7808 2336 ? S 13:56 0:00 /usr/bin/router -c /etc/jabberd/router.xml unconfined_u:system_r:jabberd_t:s0 jabber 25097 0.3 0.1 10808 3056 ? S 13:56 0:00 /usr/bin/sm -c /etc/jabberd/sm.xml unconfined_u:system_r:jabberd_t:s0 jabber 25104 0.0 0.1 7848 2380 ? S 13:56 0:00 /usr/bin/c2s -c /etc/jabberd/c2s.xml unconfined_u:system_r:jabberd_t:s0 jabber 25111 0.0 0.0 7824 1712 ? S 13:56 0:00 /usr/bin/s2s -c /etc/jabberd/s2s.xml unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25115 0.0 0.0 4360 728 pts/10 S+ 13:56 0:00 grep jabber #
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.