873885 – Update SELinux policy to cover Z-Push 2.0.x proper

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 873885 - Update SELinux policy to cover Z-Push 2.0.x proper

Summary: Update SELinux policy to cover Z-Push 2.0.x proper

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-11-06 21:50 UTC by Robert Scheck
Modified:	2019-04-16 14:01 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-25 10:46:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Robert Scheck 2012-11-06 21:50:24 UTC

Description of problem:
RPM Fusion is going to ship an updated RPM package of Z-Push (2.0.x) soon. As
far as I got, Z-Push is currently not covered, but I think it needs to be in
the future in order to work properly if SELinux is enforced.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-155.el6_3.4.noarch
selinux-policy-targeted-3.7.19-155.el6_3.4.noarch

Actual results:
Z-Push 2.0.x is packaged as follows:

- /etc/z-push/ contains configuration files written in PHP that are symlinked
  to /usr/share/z-push
- /usr/share/z-push/ contains the Z-Push code files written in PHP handled by
  the Apache Webserver. The PHP code does SHM/SEM/IPC somehow
- /usr/sbin/z-push-admin is a PHP script for the terminal which includes PHP
  files from /usr/share/z-push and manipulates files in /var/log/z-push and
  /var/lib/z-push. The PHP code is going to connect to Zarafa via Unix socket,
  or HTTP (236/TCP or 237/TCP) or to IMAP (143/TCP) for example, if this is
  somehow relevant
- /usr/sbin/z-push-top is a PHP script for the terminal which includes PHP
  files from /usr/share/z-push and does some SHM/SEM/IPC handling
- /var/lib/z-push is owned by apache:apache and content is usually written by
  Apache, but might be also by z-push-admin
- /var/log/z-push is owned by apache:apache and content is usually written by
  Apache, but might be also read by z-push-admin

The question is, whether we use httpd_*_t here or a zpush_*_t here etc.?

Expected results:
SELinux policy ;-) of course I'll help and assist as much as possible. This
is explicitly filed against RHEL because it needs to get into RHEL in the end.

Comment 2 Robert Scheck 2012-11-07 18:50:56 UTC

Ticket #00738924 is cross-field in the Red Hat customer portal.

Comment 3 Daniel Walsh 2012-11-07 20:49:56 UTC

/var/lib/z-push(/.*)?  gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/log/z-push(/.*)?          gen_context(system_u:object_r:httpd_log_t,s0)


These two might not be correct.

/usr/share/z-push(/.*)?                        gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/z-push(/.*)?                      gen_context(system_u:object_r:httpd_sys_content_t,s0)

Which paths does Apache need to execute other then the ones in /usr/bin.

Comment 4 Robert Scheck 2012-11-08 19:35:17 UTC

I wonder about httpd_sys_content_t because phpMyAdmin doesn't have that
context right now?! Z-Push is like phpMyAdmin or WordPress, just to give
you an impression, however it has CLI scripts for management additionally.

Comment 5 Daniel Walsh 2012-11-08 21:55:54 UTC

So httpd does not execute or read anything in these directories?

Comment 6 Robert Scheck 2012-11-08 23:50:38 UTC

Just compare the RPMs and the file contexts yourself:

- http://buildsys.rpmfusion.org/plague-results/el-6-rpmfusion_free/z-push/2.0.5-1.el6/noarch/
- http://kojipkgs.fedoraproject.org//packages/phpMyAdmin/3.5.3/1.el6/noarch/

/etc/phpMyAdmin =~ /etc/z-push -> system_u:object_r:etc_t:s0
/usr/share/phpMyAdmin =~ /usr/share/z-push -> system_u:object_r:usr_t:s0

However, phpMyAdmin seems to be fine and does not cause any trouble. Does it
mean that the Apache SELinux policy has already so much loosed that it works
without adaptions (when ignoring the write issue in z-push)?! Or should these
directories be added for phpMyAdmin because they are missing by accident? I'm
sorry for doing this comparision, however it is similar software...

I agree with httpd_log_t for /var/log/z-push, cacti or others seem to use the
same file context here.

Finally, I'm  abit irritated about httpd_var_lib_t for /var/lib/z-push, as
httpd_sys_rw_content_t is e.g. in use for /var/lib/koji - so where's the 
difference? Apache must be here able to create, read & delete sub-directories, 
create, read, delete and modify files.

Comment 7 Robert Scheck 2012-11-13 11:24:31 UTC

Daniel or Miroslav: Ping?

Comment 8 Daniel Walsh 2012-11-13 18:17:02 UTC

Well /var/lib/koji might be labeled differently also.  I am not sure there is much of a difference between httpd_sys_content_t, and httpd_var_lib_t, more domains are allowed to read httd_sys_content_t.  cgi scripts are not allowed to use httpd_var_lib_t.

# sesearch -CA -s httpd_sys_script_t -t httpd_var_lib_t
# sesearch -CA -s httpd_t -t httpd_var_lib_t
Found 3 semantic av rules:
   allow httpd_t httpd_var_lib_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow httpd_t httpd_var_lib_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow httpd_t file_type : filesystem getattr ; 


Where as

sesearch -CA -s httpd_sys_script_t -t httpd_sys_rw_content_t | wc -l
11

Comment 9 Daniel Walsh 2012-11-13 18:17:46 UTC

In RHEL6 policy httpd_t is allowed to read files labeled etc_t and usr_t.

Comment 10 Miroslav Grepl 2012-11-14 11:21:28 UTC

So, it should work with

/etc/z-push(/.*)?                      gen_context(system_u:object_r:etc_t,s0)

/usr/share/z-push(/.*)?                      gen_context(system_u:object_r:user_t,s0)

/var/lib/z-push(/.*)?  gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/log/z-push(/.*)?          gen_context(system_u:object_r:httpd_log_t,s0)

Comment 11 Robert Scheck 2012-11-21 10:55:15 UTC

I'm currently playing with the proposed stuff from above:

  semanage fcontext -a -f 'all files' -t httpd_log_t '/var/log/z-push(/.*)?'

However this causes (after "restorecon -v -R /var/log/z-push") this:

type=AVC msg=audit(1353494956.203:19460): avc:  denied  { write } for  pid=10246 comm="httpd" name="z-push.log" dev=dm-0 ino=28297 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

Is it correct that httpd_t is not allowed to write httpd_log_t? Should this
still be solved within httpd*_t then?

Comment 12 Miroslav Grepl 2012-11-21 11:05:25 UTC

Yes, this is correct. Z-Push should append own logs or we will need to change labeling.

Comment 13 Robert Scheck 2012-11-21 11:08:59 UTC

Z-Push uses PHP's file_put_contents() which creates or appends. Unfortunately,
it is sometimes necessary to create new log files that can't be covered already
with packaging. So which other labeling do you prefer? Zarafa itself recommends
here to use httpd_sys_rw_content_t - which seems a) strange and b) wrong to me,
but feel free to correct me, please.

Comment 14 Daniel Walsh 2012-11-21 13:48:19 UTC

   allow httpd_t httpd_log_t : file { ioctl read create getattr lock append open } ; 

It does have create and append.  I guess this  could be a problem then.

Comment 15 Daniel Walsh 2012-11-21 13:49:19 UTC

Joe, A while ago didn't we decide that preventing apache from writing its own logs is not necessary?  IE It would be ok if httpd_t could clear a log file.

Comment 16 Robert Scheck 2012-11-22 17:58:40 UTC

Wouldn't an allow for write bear the risk that e.g. a PHP script could truncate
the Apache access_log?

Comment 17 Miroslav Grepl 2012-11-23 09:02:24 UTC

I agree. I believe we should change labeling to httpd_sys_rw_content_t as we have it for Zarafa. Or we could discuss httpd_rw_log_t for these projects.

Comment 18 Robert Scheck 2012-11-23 10:25:56 UTC

Ah: Drupal, Subversion, DokuWiki, Zabbix and Moodle use httpd_sys_rw_content_t.
If the label would be fine for you, I would run some tests with that myself...

Comment 19 Robert Scheck 2012-11-28 10:40:40 UTC

Ping? Shall I try with httpd_sys_rw_content_t? And would this context be in
general suitable for you?

Comment 20 Miroslav Grepl 2012-11-28 15:40:02 UTC

You can also test the latest build. The labeling should be there.

Comment 21 Robert Scheck 2012-11-28 15:41:08 UTC

The latest build that includes httpd_sys_rw_content_t is which RPM package 
version of the policy?

Comment 22 Miroslav Grepl 2012-11-28 15:47:27 UTC

(In reply to comment #21)
> The latest build that includes httpd_sys_rw_content_t is which RPM package 
> version of the policy?

selinux-policy-3.7.19-183.el6

Comment 23 Robert Scheck 2012-11-30 18:36:38 UTC

Using selinux-policy-3.7.19-183.el6 the first login with Z-Push fails like this:

type=AVC msg=audit(1354300349.730:21012): avc:  denied  { unix_read unix_write } for  pid=2742 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300349.730:21012): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2742 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300352.388:21013): avc:  denied  { unix_read unix_write } for  pid=2744 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300352.388:21013): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2744 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300354.838:21014): avc:  denied  { unix_read unix_write } for  pid=2743 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300354.838:21014): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2743 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300360.924:21015): avc:  denied  { unix_read unix_write } for  pid=2737 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300360.924:21015): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2737 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

system_u:system_r:zarafa_server_t:s0 root 1560  1.0  1.1 389264 22492 ?        Sl   19:22   0:07 /usr/bin/zarafa-server -c /etc/zarafa/server.cfg
system_u:system_r:zarafa_deliver_t:s0 root 1581 0.0  0.0 225052  1896 ?        S    19:22   0:00 /usr/bin/zarafa-dagent -d -c /etc/zarafa/dagent.cfg
system_u:system_r:zarafa_gateway_t:s0 root 1590 0.0  0.1 204888  2408 ?        S    19:22   0:00 /usr/bin/zarafa-gateway -c /etc/zarafa/gateway.cfg
system_u:system_r:zarafa_ical_t:s0 root   1600  0.0  0.1 201308  2384 ?        S    19:22   0:00 /usr/bin/zarafa-ical -c /etc/zarafa/ical.cfg
system_u:system_r:initrc_t:s0   root      1610  0.0  0.2 342804  4460 ?        Sl   19:22   0:00 /usr/bin/zarafa-licensed -c /etc/zarafa/licensed.cfg
system_u:system_r:zarafa_monitor_t:s0 root 1621 0.0  0.3 406012  6404 ?        Sl   19:22   0:00 /usr/bin/zarafa-monitor -c /etc/zarafa/monitor.cfg
system_u:system_r:initrc_t:s0   root      1633  0.7  0.7 425492 13860 ?        Sl   19:22   0:05 /usr/bin/zarafa-search -c /etc/zarafa/search.cfg
system_u:system_r:zarafa_spooler_t:s0 root 1644 0.0  0.2 302556  5288 ?        Sl   19:22   0:00 /usr/bin/zarafa-spooler -c /etc/zarafa/spooler.cfg

Note, that with Zarafa 7.1.x, zarafa-indexer is replaced by zarafa-search, if that is relevant somehow.

And as said, Z-Push 2.0.x uses the php-process RPM package and makes use of SHM/SEM/IPC through these PHP modules.

Comment 24 Robert Scheck 2012-11-30 18:39:08 UTC

srw-rw-rw-. root root system_u:object_r:zarafa_server_var_run_t:s0 /var/run/zarafa
-rw-r--r--. root root system_u:object_r:zarafa_deliver_var_run_t:s0 /var/run/zarafa-dagent.pid
-rw-r--r--. root root system_u:object_r:zarafa_gateway_var_run_t:s0 /var/run/zarafa-gateway.pid
-rw-r--r--. root root system_u:object_r:zarafa_ical_var_run_t:s0 /var/run/zarafa-ical.pid
srw-rw----. root root system_u:object_r:var_run_t:s0   /var/run/zarafa-licensed
-rw-r--r--. root root system_u:object_r:initrc_var_run_t:s0 /var/run/zarafa-licensed.pid
-rw-r--r--. root root system_u:object_r:zarafa_monitor_var_run_t:s0 /var/run/zarafa-monitor.pid
srw-rw----. root root system_u:object_r:zarafa_server_var_run_t:s0 /var/run/zarafa-prio
srw-rw-rw-. root root system_u:object_r:var_run_t:s0   /var/run/zarafa-search
-rw-r--r--. root root system_u:object_r:initrc_var_run_t:s0 /var/run/zarafa-search.pid
-rw-r--r--. root root system_u:object_r:zarafa_server_var_run_t:s0 /var/run/zarafa-server.pid
-rw-r--r--. root root system_u:object_r:zarafa_spooler_var_run_t:s0 /var/run/zarafa-spooler.pid

Comment 25 Robert Scheck 2012-11-30 18:42:46 UTC

Some more stuff when having SELinux permissive:

type=LOGIN msg=audit(1354300801.355:21018): pid=2877 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=4
type=USER_START msg=audit(1354300801.357:21019): user pid=2877 uid=0 auid=0 ses=4 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1354300801.385:21020): user pid=2877 uid=0 auid=0 ses=4 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1354300801.386:21021): user pid=2877 uid=0 auid=0 ses=4 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1354300813.135:21022): avc:  denied  { unix_read unix_write } for  pid=2738 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300813.135:21022): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2738 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300816.862:21023): avc:  denied  { unix_read unix_write } for  pid=2739 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300816.862:21023): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2739 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300820.700:21024): avc:  denied  { unix_read unix_write } for  pid=2740 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300820.700:21024): arch=c000003e syscall=64 success=no exit=-13 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2740 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=MAC_STATUS msg=audit(1354300876.178:21025): enforcing=0 old_enforcing=1 auid=0 ses=1
type=SYSCALL msg=audit(1354300876.178:21025): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffbac2d0b0 a2=1 a3=fffffff8 items=0 ppid=1921 pid=2907 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1354300879.073:21026): avc:  denied  { unix_read unix_write } for  pid=2741 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=AVC msg=audit(1354300879.073:21026): avc:  denied  { associate } for  pid=2741 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300879.073:21026): arch=c000003e syscall=64 success=yes exit=163845 a0=14 a1=3 a2=3b6 a3=7f13f420c850 items=0 ppid=2735 pid=2741 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300879.074:21027): avc:  denied  { read write } for  pid=2741 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
type=SYSCALL msg=audit(1354300879.074:21027): arch=c000003e syscall=65 success=yes exit=0 a0=28005 a1=7fff7c8dbf10 a2=3 a3=7f13f420c850 items=0 ppid=2735 pid=2741 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300879.074:21028): avc:  denied  { associate } for  pid=2741 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1354300879.074:21028): arch=c000003e syscall=29 success=yes exit=0 a0=1e a1=0 a2=0 a3=7f13f420d4b0 items=0 ppid=2735 pid=2741 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300879.077:21029): avc:  denied  { unix_read unix_write } for  pid=2741 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=AVC msg=audit(1354300879.077:21029): avc:  denied  { read write } for  pid=2741 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=AVC msg=audit(1354300879.077:21029): avc:  denied  { read write } for  pid=2741 comm="httpd" path=2F535953563030303030303165202864656C6574656429 dev=tmpfs ino=0 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1354300879.077:21029): arch=c000003e syscall=30 success=yes exit=139723251134464 a0=0 a1=0 a2=0 a3=7f13f420d4b0 items=0 ppid=2735 pid=2741 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300882.293:21030): avc:  denied  { associate } for  pid=2742 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1354300882.293:21030): arch=c000003e syscall=29 success=yes exit=0 a0=1e a1=0 a2=0 a3=7f13f420d4b0 items=0 ppid=2735 pid=2742 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300882.303:21031): avc:  denied  { unix_read unix_write } for  pid=2742 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=AVC msg=audit(1354300882.303:21031): avc:  denied  { read write } for  pid=2742 comm="httpd" key=30  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
type=SYSCALL msg=audit(1354300882.303:21031): arch=c000003e syscall=30 success=yes exit=139723253501952 a0=0 a1=0 a2=0 a3=7f13f420d4b0 items=0 ppid=2735 pid=2742 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354300897.141:21032): avc:  denied  { read write } for  pid=2744 comm="httpd" path=2F535953563030303030303165202864656C6574656429 dev=tmpfs ino=0 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1354300897.141:21032): arch=c000003e syscall=30 success=yes exit=139723253501952 a0=0 a1=0 a2=0 a3=7f13f420d4b0 items=0 ppid=2735 pid=2744 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Comment 26 Robert Scheck 2012-11-30 18:46:37 UTC

Aha! All the stuff above seems to only happen when trying to authenticate with an invalid username/password combination?!

Comment 27 Daniel Walsh 2012-11-30 19:18:56 UTC

You have this service running as an unconfined user, as opposed to an init script?

Are you running stuff as the user and outside of httpd?

You probably do not want it running as unconfined_t.

Comment 28 Robert Scheck 2012-11-30 19:27:20 UTC

Which service? Z-Push consists out of PHP scripts which are run by mod_php
inside of Apache. Z-Push uses some SHM/SEM/IPC calls from PHP. Zarafa itself
is almost completely running zarafa*_t contexts (see above). What I did is
a standard setup of Zarafa 7.1.1 + Z-Push 2.0.5, not more and not less...

Comment 29 Daniel Walsh 2012-11-30 19:47:32 UTC

How would this run on boot?  Is there a service running?

ps -eZ | grep unconfined_t

I would bet you find services running as the user label.  Not initrc_t or zarafa_t

Comment 30 Robert Scheck 2012-11-30 19:51:33 UTC

# ps -eZ | grep unconfined_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3431 pts/0 00:00:00 bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3454 pts/0 00:00:00 ps
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3455 pts/0 00:00:00 grep
#

But: "tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm", so please notice the "tclass=shm" or what are you hunting for?

Comment 31 Daniel Walsh 2012-11-30 19:57:25 UTC

Right apache process attempted to connect to a shm owned by an unconfined_t process.  Can you run your test again and see if you get the same AVC's or if it works now.

Comment 32 Robert Scheck 2012-11-30 19:59:27 UTC

Still the same. And I think, I know the cause: z-push-top. It uses SHM, too.
But it is normally run by root interactively on the shell, thus unconfined_t, 
right?

Comment 33 Robert Scheck 2012-12-03 10:24:02 UTC

Any ideas?

Comment 34 Robert Scheck 2012-12-04 19:15:50 UTC

Additionally:

type=AVC msg=audit(1354531843.569:25514): avc:  denied  { create } for  pid=10330 comm="httpd" name="7" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1354531843.569:25514): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f13f4db5e50 a1=1ff a2=8 a3=5 items=0 ppid=2735 pid=10330 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid3D48 fsgid=48

Comment 35 Robert Scheck 2012-12-05 17:33:45 UTC

And even more:

type=AVC msg=audit(1354328765.29:21716): avc:  denied  { read } for  pid=4803 comm="logrotate" name="z-push" dev=vda1 ino=263597 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1354328765.29:21716): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff487d9a90 a1=90800 a2=10abd00 a3=26 items=0 ppid=4801 pid=4803 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=93 comm=logrotate exe=/usr/sbin/logrotate subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Comment 36 Robert Scheck 2012-12-05 17:35:15 UTC

I feel we have to work on this more in detail somehow...

Comment 37 Daniel Walsh 2012-12-05 21:43:33 UTC

Which is why /var/log/z-push should be httpd_log_t and should be opened for append and not write.

Miroslav we have 

manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)

In Fedora.

Yes z-push-top is communicating with a service running under apache would cause this AVC.  

Does z-push-top interact with the apache server when you are authenticating?
(Comment 26)

Comment 38 Robert Scheck 2012-12-05 22:15:45 UTC

(In reply to comment #37)
> Which is why /var/log/z-push should be httpd_log_t and should be opened for
> append and not write.

Actually PHP offers FILE_APPEND for http://php.net/file_put_contents which is
also used by upstream, however the underlying C implementation does something 
else. I'll discuss with upstream here, but I'm also open for other ideas...

> Yes z-push-top is communicating with a service running under apache would
> cause this AVC.  
> 
> Does z-push-top interact with the apache server when you are authenticating?
> (Comment 26)

Yes and no: Accessing http://.../Microsoft-Server-ActiveSync is usually called
by mobile devices and Z-Push saves the connection information (like username,
device type, activity itself) to semaphores (or so). At the same time, there
is z-push-top (like top(1)) which can be used by administrators on the command 
line to display the devices that are currently connected by HTTP(S). From what
I get, the semaphore stuff is created by that process which is run first. So
when I run z-push-top before the HTTP, I get for each wrong authentication via
HTTP an AVC denied. If HTTP is run before z-push-top, everything seems to be
fine.

Would it help for you, if you get a demo VM for KVM or access to such a system?

Comment 39 Robert Scheck 2012-12-05 22:18:23 UTC

Oh and z-push-top does not ask for any credentials, it's simply run as root.

Comment 40 Daniel Walsh 2012-12-06 20:16:28 UTC

No that is a good description but not something I want.  IE Allowing apache processes to connect to users (especially unconfined ones) shared memory.  I wonder if this is something that is pretty unlikely to happen in the field.  Run z-push-top and then start the apache service, versus the apache service running and a user does z-push-top.

Comment 41 Robert Scheck 2012-12-06 20:26:53 UTC

As far as I understand Z-Push, it does not depend on when the Apache starts,
but only on when the first device connects via HTTP. Means you can't do any
useful debugging/monitoring anymore, if the connection interval of the mobile 
devices is not "push", but only every few hours for example. However, if I get 
Zarafa in their (incomplete) Z-Push documentation right, they just ignore that 
case. But hey...they also not care about SELinux that much, but simply advice
to switch to permissive or disable it if needed. The scenario I run into is
IMHO a valid common situation - at least when setting it up the first time or
when doing migrations.

Comment 42 Daniel Walsh 2012-12-06 20:39:21 UTC

So we end up needing a boolean for this, then.  httpd_use_zarafa?

Comment 43 Robert Scheck 2012-12-06 21:43:22 UTC

Uhm. Let me first cross-check if there is really need to create semaphores
when running z-push-top. If I get things right meanwhile, only Apache should 
write or create them. Means it maybe could get solved by fixing the code. I
will talk to upstream.

Comment 44 Robert Scheck 2012-12-06 23:58:02 UTC

PHP: file_put_contents("test.log", "test\n", FILE_APPEND);
strace: open("/tmp/test.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3

PHP file_put_contents("test.log", "test\n");
strace: open("/tmp/test.log", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3

The first is used in Z-Push code, but why does SELinux complain here about
"write"? I'm not a C developer, but open(2) doesn't leave so many choices?!

Comment 45 Robert Scheck 2012-12-10 11:31:48 UTC

Additionally I'm in doubt that labeling /var/lib/z-push with httpd_var_lib_t is a good idea:

type=AVC msg=audit(1355129553.305:38699): avc:  denied  { create } for  pid=12761 comm="httpd" name="6" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1355129553.305:38699): arch=c000003e syscall=83 success=no exit=-13 a0=7f13f4dce9a0 a1=1ff a2=8 a3=5 items=0 ppid=2735 pid=12761 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Any idea or explanation regarding comment #44?

Comment 46 Robert Scheck 2012-12-10 23:23:47 UTC

- First of all, I would like to avoid a SELinux boolean, if somehow possible.
- https://jira.zarafa.com/browse/ZP-268 tells that semaphores are not friendly.
- According to some knowledged guys on Freenode #php, all appends in PHP are
  implemented as write via the streams API somehow. Theoretically rewind() is
  possible in PHP for any opened stream. So maybe Joe can confirm or correct
  this statement?
- Couldn't we label /usr/sbin/z-push-{admin,top} as zpush_exec_t, which causes
  semaphores as zpush_t via transition and httpd_t is allowed to access them in 
  general? How about zpush_log_t for /var/log/z-push which allows also the 
  problematic write, not only append and is additionally nice to logrotate?
  And zpush_var_lib_t for /var/lib/z-push which could be managed by httpd_t
  and by zpush_exec_t as needed? Because httpd_var_lib_t doesn't seem to be
  good (loose) enough according to comment #45.

Comment 47 Daniel Walsh 2012-12-11 19:18:21 UTC

zpush_log_t seems to be the best solution.

Does httpd execute /usr/sbin/z-push or /usr/sbin/zpush-admin?

policy_module(myzpush, 1.0)

gen_require(`
type httpd_t;
')

type zpush_log_t;
logging_log_file(zpush_log_t)

manage_dirs_pattern(httpd_t, zpush_log_t, zpush_log_t)
manage_files_pattern(httpd_t, zpush_log_t, zpush_log_t)
manage_lnk_files_pattern(httpd_t, zpush_log_t, zpush_log_t)

# Might also need

manage_dirs_pattern(httpd_sys_script_t, zpush_log_t, zpush_log_t)
manage_files_pattern(httpd_sys_script_t, zpush_log_t, zpush_log_t)
manage_lnk_files_pattern(httpd_sys_script_t, zpush_log_t, zpush_log_t)

Comment 49 Miroslav Grepl 2013-08-07 11:26:44 UTC

Any chance to test it with the latest RHEL6.5 builds?

Comment 50 Matěj Cepl 2013-10-01 08:09:24 UTC

Very brief testing seems to suggest that it goes well, but give me a day before closing this. Unless I will start to shout loudly in a week or so, you can consider this bug fixed.

Comment 51 Matěj Cepl 2013-10-01 08:10:21 UTC

Whoops, I am not a reporter of this bug, so I cannot decide when it has been fixed. Robert, can you check with selinux-policy-targeted-3.7.19-216.el6.noarch?

Comment 52 Robert Scheck 2013-10-01 08:25:12 UTC

Matěj, did you also start z-push-top(1) before doing the first request via
ActiveSync (see first comments)?

Comment 53 Matěj Cepl 2013-10-01 09:39:19 UTC

(In reply to Robert Scheck from comment #52)
> Matěj, did you also start z-push-top(1) before doing the first request via
> ActiveSync (see first comments)?

I did.

Comment 54 Miroslav Grepl 2013-10-02 21:07:04 UTC

So how does it work?

Comment 56 Robert Scheck 2013-12-12 14:50:27 UTC

Using z-push-2.0.9-1.el6.noarch, z-push-zarafa-2.0.9-1.el6.noarch as well as
selinux-policy-targeted-3.7.19-231.el6.noarch this issue is same good/bad like
every time before...it simply does not work. Z-Push can not write to its log
files in /var/log/z-push and if you run z-push-top(1) before doing the frist
HTTP request to Z-Push you additionally still get:

type=AVC msg=audit(1386859197.948:42): avc:  denied  { unix_read unix_write } for  pid=1878 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem

Conclusion: Current SELinux policy in RHEL 6.5 doesn't solve this IMHO. I also
did not see any booleans, restorecon -v -R /var/{log,lib}/z-push did not show
any changed contexts.

Comment 57 Miroslav Grepl 2014-01-07 14:59:54 UTC

It has not been approved for RHEL6.5. Ok we have 

type=AVC msg=audit(1386859197.948:42): avc:  denied  { unix_read unix_write } for  pid=1878 comm="httpd" key=20  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem

which we need to solve.

Comment 58 Robert Scheck 2014-01-21 16:50:16 UTC

(In reply to Miroslav Grepl from comment #57)
> It has not been approved for RHEL6.5. Ok we have 
> 
> type=AVC msg=audit(1386859197.948:42): avc:  denied  { unix_read unix_write
> } for  pid=1878 comm="httpd" key=20 
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=sem
> 
> which we need to solve.

No, it is unfortunately not that easy:

1. /usr/sbin/z-push-{top,admin} are always run at the shell and will create a
   semaphore if none exists. Right now they are unconfined_t of course.
2. Apache runs PHP code from /usr/share/z-push which will create a semaphore
   if none exists. If semaphores already exist it must be able to access them,
   even if the semaphores were created by 1. and not by 2. This is right now
   not possible and causes the above AVC message.
3. The logging issue is IMHO still open thus append vs. trunc in PHP/C, see
   comment #44.

Can we please clarify if we will have an own Z-Push policy (or extend the
current Zarafa one even Z-Push can be used without Zarafa but other backends)
vs. weakening the SELinux policy by allowing the semaphore stuff or logging
things simply?

If so, where will I start? Labeling /usr/sbin/z-push*, /var/{lib,log}/z-push 
with an individual context, add a type transition for /usr/sbin/z-push* to
a z-push domain that httpd is allowed to fully manage as well and look for
possible further AVCs?

Comment 59 Miroslav Grepl 2014-09-17 07:52:26 UTC

I believe it will need to be resolved by a Z-Push policy.

Comment 61 Miroslav Grepl 2015-02-25 10:46:17 UTC

We will need to go with a local policy in RHEL6 and see to get a solution in RHEL7.

Note You need to log in before you can comment on or make changes to this bug.