Steven Debock
asked on
selinux blocking zarafa webaccess
Hi,
SElinux is blocking zarafa webaccess
i'm using fedora 14 and have update my selinux-policy
how do i configure selinux so i can access zarafa webaccess?
turning off selinux is not an option.
the only related info i seem to find is this:
but it does not help.
SElinux is blocking zarafa webaccess
i'm using fedora 14 and have update my selinux-policy
Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/etc/zarafa/webaccess/config.php.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/etc/zarafa/webaccess/config.php. This means that SELinux will not allow httpd
to use these files. If httpd should be allowed this access to these files you
should change the file context to one of the following types, mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. Many third party apps
install html files in directories that SELinux policy cannot predict. These
directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /etc/zarafa/webaccess/config.php so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE '/etc/zarafa/webaccess/config.php'.
where FILE_TYPE is one of the following: mailman_archive_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, logfile,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_prewikka_htaccess_t, httpd_t, lib_t,
passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, abrt_var_run_t,
usr_t, httpd_rotatelogs_exec_t, user_tmp_t, httpd_smokeping_cgi_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, locale_t,
httpd_unconfined_script_exec_t, sysctl_crypto_t, etc_t, fonts_t, cluster_conf_t,
proc_t, sysfs_t, httpd_mojomojo_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, krb5_keytab_t, httpd_log_t, passenger_exec_t, dirsrv_config_t,
httpd_config_t, abrt_t, krb5_conf_t, lib_t, user_home_t, udev_tbl_t,
abrt_helper_exec_t, httpd_tmp_t, calamaris_www_t, smokeping_var_lib_t,
shell_exec_t, httpd_cache_t, httpd_tmpfs_t, httpd_w3c_validator_htaccess_t,
iso9660_t, mysqld_etc_t, cvs_data_t, ld_so_t, dirsrvadmin_tmp_t, cobbler_etc_t,
var_lib_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, textrel_shlib_t,
httpd_squirrelmail_t, rpm_script_tmp_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, fail2ban_var_lib_t, httpd_zarafa_htaccess_t,
samba_var_t, dirsrv_var_log_t, rpm_tmp_t, net_conf_t, git_system_content_t,
user_cron_spool_t, public_content_t, ld_so_cache_t, anon_inodefs_t,
sysctl_kernel_t, etc_runtime_t, httpd_modules_t, dirsrv_var_run_t,
httpd_var_lib_t, httpd_var_run_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, httpd_suexec_exec_t, application_exec_type,
httpd_user_htaccess_t, chroot_exec_t, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_sys_content_t,
dirsrvadmin_config_t, public_content_rw_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
mailman_data_t, httpd_munin_script_exec_t, httpd_dirsrvadmin_ra_content_t,
httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, krb5_host_rcache_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_squid_script_exec_t,
httpd_nagios_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_awstats_content_t,
httpd_bugzilla_script_exec_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t,
httpd_nutups_cgi_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t,
httpd_git_content_t, httpd_user_content_t, httpd_apcupsd_cgi_content_t, root_t,
httpd_squid_ra_content_t, httpd_squid_rw_content_t,
httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t,
httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t,
httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t,
httpd_cvs_content_t, httpd_sys_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t. You can look at the
httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:zarafa_etc_t:s0
Target Objects /etc/zarafa/webaccess/config.php [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.17-1.fc14
Target RPM Packages zarafa-webaccess-6.40.7-1.fc14
Policy RPM selinux-policy-3.9.7-40.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name httpd_bad_labels
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.35.6-45.fc14.i686
#1 SMP Mon Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count 3
First Seen Mon 25 Apr 2011 04:56:52 PM CEST
Last Seen Mon 25 Apr 2011 04:56:52 PM CEST
Local ID 54c91620-d009-4328-a85a-c8d19eddba56
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1303743412.546:22489): avc: denied { getattr } for pid=1715 comm="httpd" path="/etc/zarafa/webaccess/config.php" dev=dm-0 ino=143366 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_etc_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1303743412.546:22489): arch=40000003 syscall=196 success=no exit=-13 a0=bfec69dc a1=bfec671c a2=6b5ff4 a3=3 items=0 ppid=1674 pid=1715 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
how do i configure selinux so i can access zarafa webaccess?
turning off selinux is not an option.
the only related info i seem to find is this:
When SELinux is enabled, this is blocking your connection from the webserver to the Zarafa server.
You may solve this by allowing Apache to make network connections:
setsebool httpd_can_network_connect=1
or by disabling SELinux altogether:
setenforce permissive
When you choose to disable SELinux, you will also want to edit /etc/sysconfig/selinux to disable it for reboots too.
but it does not help.
Hi,
You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:
http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy
Let me know if you have problems implementing it.
Cheers,
K.
You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:
http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy
Let me know if you have problems implementing it.
Cheers,
K.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can create a policy for Zaraf as indicated on its wiki pages. Please follow the article here:
http://www.zarafa.com/wiki/index.php/Zarafa_Selinux_policy
Let me know if you have problems implementing it.
Cheers,
K.