?
Solved

selinux blocking zarafa webaccess

Posted on 2011-04-25
3
Medium Priority
?
976 Views
Last Modified: 2012-05-11
Hi,

SElinux is blocking zarafa webaccess
i'm  using fedora 14 and have update my selinux-policy

Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/etc/zarafa/webaccess/config.php.

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/etc/zarafa/webaccess/config.php. This means that SELinux will not allow httpd
to use these files. If httpd should be allowed this access to these files you
should change the file context to one of the following types, mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. Many third party apps
install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /etc/zarafa/webaccess/config.php so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE '/etc/zarafa/webaccess/config.php'.
where FILE_TYPE is one of the following: mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:zarafa_etc_t:s0
Target Objects                /etc/zarafa/webaccess/config.php [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.17-1.fc14
Target RPM Packages           zarafa-webaccess-6.40.7-1.fc14
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.6-45.fc14.i686
                              #1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count                   3
First Seen                    Mon 25 Apr 2011 04:56:52 PM CEST
Last Seen                     Mon 25 Apr 2011 04:56:52 PM CEST
Local ID                      54c91620-d009-4328-a85a-c8d19eddba56
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1303743412.546:22489): avc:  denied  { getattr } for  pid=1715 comm="httpd" path="/etc/zarafa/webaccess/config.php" dev=dm-0 ino=143366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_etc_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1303743412.546:22489): arch=40000003 syscall=196 success=no exit=-13 a0=bfec69dc a1=bfec671c a2=6b5ff4 a3=3 items=0 ppid=1674 pid=1715 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Open in new window


how do i configure selinux so i can access zarafa webaccess?
turning off selinux is not an option.

the only related info i seem to find is this:

 
When SELinux is enabled, this is blocking your connection from the webserver to the Zarafa server.

You may solve this by allowing Apache to make network connections:

setsebool httpd_can_network_connect=1

or by disabling SELinux altogether:

setenforce permissive

When you choose to disable SELinux, you will also want to edit /etc/sysconfig/selinux to disable it for reboots too.

Open in new window


but it does not help.
0
Comment
Question by:Th0R
  • 2
3 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 35463600
Hi,

You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:

http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy

Let me know if you have problems implementing it.

Cheers,
K.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 35463603
Hi,

You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:

http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy

Let me know if you have problems implementing it.

Cheers,
K.
0
 
LVL 6

Accepted Solution

by:
mohansahu earned 2000 total points
ID: 35464998
Hi,

this is the bug link for web access denied by sellinux. plz have look

https://bugzilla.redhat.com/show_bug.cgi?id=582323

# setsebool httpd_can_network_connect on
# chcon -t httpd_var_run_t /var/run/zarafa

with that changes, It should connect from webaccess

for Selinux in detail...

http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/#id2961385

MS

0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question