720463 – Zarafa needs a SELinux treatment to work (currently works only in the permissive mode)

Bug 720463 - Zarafa needs a SELinux treatment to work (currently works only in the permissive mode)

Summary: Zarafa needs a SELinux treatment to work (currently works only in the permiss...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:51c480719e1...
Depends On:	574788
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-11 17:12 UTC by Matěj Cepl
Modified:	2012-10-16 11:33 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-3.7.19-115.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	574788
Environment:
Last Closed:	2011-12-06 10:09:11 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Comment 2 Miroslav Grepl 2011-07-20 07:41:31 UTC

The zarafa policy needs to be backported.

Comment 3 Miroslav Grepl 2011-07-27 13:31:21 UTC

Fixed in selinux-policy-3.7.19-105.el6

Comment 7 Miroslav Grepl 2011-08-10 15:06:42 UTC

Fixed in selinux-policy-3.7.19-107.el6

Comment 10 Miroslav Grepl 2011-08-31 20:09:30 UTC

Fixed in selinux-policy-3.7.19-109.el6

Comment 14 Miroslav Grepl 2011-09-08 14:34:10 UTC

Fixed in selinux-policy-3.7.19-110.el6

Comment 15 Robert Scheck 2011-09-08 16:01:47 UTC

I'm not really happy with the SELinux policy for Zarafa. It is very incomplete;
caused a lot of pain already here. Looks like I need to investigate to support
you here.

Comment 16 Daniel Walsh 2011-09-08 16:12:45 UTC

Maybe we should move this to an unconfined_domain() until it gets better testing in Fedora.

Comment 19 Miroslav Grepl 2011-10-05 12:49:44 UTC

Well, not sure why zarafa-deliver needs this. 

Does it happen by default? Or did you change your configuration.

Comment 21 Robert Scheck 2011-10-05 13:06:12 UTC

There are various AVC denieds per default. Furthermore Zarafa is much more
flexible than what the SELinux policy covers at the moment. The policy does
also not cover the proprietary parts of Zarafa which are neccessary in some
business installations.

Comment 22 Miroslav Grepl 2011-10-05 13:10:36 UTC

Robert, 
could attach AVC msgs which you are getting. 


I really need to make zarafa domains as unconfined.

Comment 23 Miroslav Grepl 2011-10-05 13:41:06 UTC

(In reply to comment #22)

> I really need to make zarafa domains as unconfined.

Fixed in selinux-policy-3.7.19-115.el6

Comment 24 Robert Scheck 2011-10-05 13:44:16 UTC

Can you provide me a link to a howto how to start with a SELinux policy? So
just the AVC msgs are not enough, e.g. not all Zarafa components have proper 
contexts.

Comment 25 Milos Malik 2011-10-06 09:00:11 UTC

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/PolicyGeneration.odp

Comment 26 Matěj Cepl 2011-10-06 11:49:39 UTC

(In reply to comment #25)
> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/PolicyGeneration.odp

I don't think that starting from the scratch is a good idea at this point. Robert, which Zarafa components are not covered?

Comment 27 Miroslav Grepl 2011-10-06 12:06:28 UTC

Robert, 
do you use the latest RHEL6 build?

Comment 28 Robert Scheck 2011-10-06 12:08:25 UTC

Matěj, it unfortunately feels somehow like anything. May somebody provide me
the really latest SELinux policy source files for the Zarafa module?

Comment 29 Miroslav Grepl 2011-10-06 12:16:45 UTC

You can get it from

http://git.fedorahosted.org/git/?p=selinux-policy.git

Comment 31 Milos Malik 2011-10-21 12:11:17 UTC

Hi Robert,

do you still see AVCs when the latest policy is installed? If so, please copy&paste them here.

Comment 36 Robert Scheck 2011-11-21 01:04:07 UTC

type=AVC msg=audit(1321836992.613:165593): avc:  denied  { name_connect } for  pid=1386 comm="saslauthd" dest=236 scontext=unconfined_u:system_r:saslauthd_t:s0 tcontext=system_u:object_r:zarafa_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1321836992.613:165593): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=89d50c a2=10 a3=7fffb909fe30 items=0 ppid=1385 pid=1386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=1298 comm="saslauthd" exe="/usr/sbin/saslauthd" subj=unconfined_u:system_r:saslauthd_t:s0 key=(null)

This won't be reproducible for you now as this piece of software hasn't been
made public yet, but will be in the next weeks. However saslauthd_t must be
able to connect to zarafa_port_t, which should be TCP ports 236/237.

Comment 37 Daniel Walsh 2011-11-23 17:58:42 UTC

Miroslav we need 

Mc843ff178c071c6856f7299d0c872c274cef9118

Back ported to RHEL6 F15 and F16.

Comment 38 errata-xmlrpc 2011-12-06 10:09:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Comment 39 Robert Scheck 2011-12-19 00:09:40 UTC

Miroslav, any update regarding comment #37?

Comment 40 Miroslav Grepl 2011-12-19 08:19:31 UTC

yes, this will be available in RHEL6.3. You can download pre-release from

http://people.redhat.com/dwalsh/SELinux/RHEL6/noarch/

Note You need to log in before you can comment on or make changes to this bug.