We help IT Professionals succeed at work.

selinux blocking zarafa webaccess

1,052 Views
Last Modified: 2012-05-11
Hi,

SElinux is blocking zarafa webaccess
i'm  using fedora 14 and have update my selinux-policy

Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/etc/zarafa/webaccess/config.php.

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/etc/zarafa/webaccess/config.php. This means that SELinux will not allow httpd
to use these files. If httpd should be allowed this access to these files you
should change the file context to one of the following types, mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. Many third party apps
install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /etc/zarafa/webaccess/config.php so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE '/etc/zarafa/webaccess/config.php'.
where FILE_TYPE is one of the following: mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zarafa_etc_t:s0
Target Objects                /etc/zarafa/webaccess/config.php [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.17-1.fc14
Target RPM Packages           zarafa-webaccess-6.40.7-1.fc14
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.6-45.fc14.i686
                              #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Mon 25 Apr 2011 04:56:52 PM CEST
Last Seen                     Mon 25 Apr 2011 04:56:52 PM CEST
Local ID                      54c91620-d009-4328-a85a-c8d19eddba56
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1303743412.546:22489): avc:  denied  { getattr } for  pid=1715 comm="httpd" path="/etc/zarafa/webaccess/config.php" dev=dm-0 ino=143366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_etc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1303743412.546:22489): arch=40000003 syscall=196 success=no exit=-13 a0=bfec69dc a1=bfec671c a2=6b5ff4 a3=3 items=0 ppid=1674 pid=1715 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Open in new window


how do i configure selinux so i can access zarafa webaccess?
turning off selinux is not an option.

the only related info i seem to find is this:

 
When SELinux is enabled, this is blocking your connection from the webserver to the Zarafa server.

You may solve this by allowing Apache to make network connections:

setsebool httpd_can_network_connect=1

or by disabling SELinux altogether:

setenforce permissive

When you choose to disable SELinux, you will also want to edit /etc/sysconfig/selinux to disable it for reboots too.

Open in new window


but it does not help.
Comment
Watch Question

Kerem ERSOYPresident

Commented:
Hi,

You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:

http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy

Let me know if you have problems implementing it.

Cheers,
K.
Kerem ERSOYPresident

Commented:
Hi,

You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:

http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy

Let me know if you have problems implementing it.

Cheers,
K.
Sr.Manager -IT and Projects
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.