Bug 890919 - zarafa policy seems to still be missing a few things
Summary: zarafa policy seems to still be missing a few things
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.8
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-31 06:17 UTC by Erik M Jacobs
Modified: 2013-03-13 13:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-13 13:38:44 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Erik M Jacobs 2012-12-31 06:17:24 UTC
Description of problem:
Installed the latest selinux policy, and zarafa seems to still be missing a few things.

Version-Release number of selected component (if applicable):
2.4.6-327.el5

How reproducible:
100%

Steps to Reproduce:
1. Install 2.4.6-327.el5
2. Do stuff with Zarafa
3.
  
Actual results:
audit2allow output:
#============= postfix_pipe_t ==============
allow postfix_pipe_t zarafa_deliver_exec_t:file { read execute execute_no_trans };
allow postfix_pipe_t zarafa_server_t:unix_stream_socket connectto;
allow postfix_pipe_t zarafa_server_var_run_t:sock_file write;

Expected results:
Zarafa should not have issues.

Additional info:
I see there are some booleans, but the only one that makes sense is:
zarafa_deliver_disable_trans --> off

With it set to "on" (which doesn't make sense), I still have the same issues.

Please let me know what other information is required.

Comment 1 Miroslav Grepl 2013-01-02 12:23:26 UTC
Could you attach AVC msgs for these rules? Thank you.

Comment 2 Erik M Jacobs 2013-01-28 02:05:43 UTC
Sorry that this took me forever.

[root@atlas.dev /usr/share/selinux]$ ausearch -m avc -ts 01/28/2013 02:03:00                                                                                                                          
----
time->Mon Jan 28 02:03:34 2013
type=SYSCALL msg=audit(1359338614.861:19724): arch=c000003e syscall=59 success=yes exit=0 a0=2b9107c8a910 a1=2b9107c8a980 a2=2b9107c8a820 a3=0 items=0 ppid=29672 pid=29673 auid=501 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=93 comm="zarafa-dagent" exe="/usr/bin/zarafa-dagent" subj=user_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1359338614.861:19724): avc:  denied  { read } for  pid=29673 comm="pipe" path="/usr/bin/zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
type=AVC msg=audit(1359338614.861:19724): avc:  denied  { execute_no_trans } for  pid=29673 comm="pipe" path="/usr/bin/zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
type=AVC msg=audit(1359338614.861:19724): avc:  denied  { execute } for  pid=29673 comm="pipe" name="zarafa-dagent" dev=dm-0 ino=132205 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:zarafa_deliver_exec_t:s0 tclass=file
----
time->Mon Jan 28 02:03:34 2013
type=SYSCALL msg=audit(1359338614.990:19725): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff911e9840 a2=6e a3=1 items=0 ppid=29672 pid=29673 auid=501 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=93 comm="zarafa-dagent" exe="/usr/bin/zarafa-dagent" subj=user_u:system_r:postfix_pipe_t:s0 key=(null)
type=AVC msg=audit(1359338614.990:19725): avc:  denied  { connectto } for  pid=29673 comm="zarafa-dagent" path="/var/run/zarafa" scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=user_u:system_r:zarafa_server_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1359338614.990:19725): avc:  denied  { write } for  pid=29673 comm="zarafa-dagent" name="zarafa" dev=dm-0 ino=385461 scontext=user_u:system_r:postfix_pipe_t:s0 tcontext=user_u:object_r:zarafa_server_var_run_t:s0 tclass=sock_file

Comment 3 Miroslav Grepl 2013-03-13 13:38:44 UTC
This one issue should be fixed in RHEL-6 therefore I am closing the bug as
NEXTRELEASE.


Note You need to log in before you can comment on or make changes to this bug.