SElinux breaking IMAP-connectivity

[JariT]

I'm running Plesk 11 with SElinux enforced. Also it took me a while to realise what's going on, because I don't have IMAP-port open on my firewall. All users are forced to use IMAPS anyway.

The issue started with Horde ceasing to log users in. Further investigation revealed that IMAP-login is immediately disconnected by server if username/password is correct. Dropping SElinux into permissive seems to fix this, but... I'd rather have extra security for my users.

The horde-log displays something like this:
HORDE [error] [imp] FAILED LOGIN for [email protected] [1.2.3.4]
to {127.0.0.1:143 [imap/notls]} [pid 19587 on line 139 of "/usr/share/psa-horde/imp/lib/Auth/imp.php"]

Manual tests with telnetting into port 143 and using SSL-connection with openssl s_client revealed that IMAPS is not affected with the issue. My fix is to start using SSL for Horde/IMP. I edited /etc/psa-webmail/horde/imp/servers.php and changed:
'protocol' => 'imap/ssl/novalidate-cert',
'port' => 993,

This does not seem to be a very popular issue. Apparently most servers don't have enforced SElinux. Hopefully this helps somebody.

Regards,
Jari Turkia

 

[IgorG]

If you try to use KB search for "SElinux" you see a lot of Plesk problems related to enforced SElinux. Therefore we do not recommend this mode for SElinux on Plesk servers.

 

[JariT]

I did spend quite a while searching for SElinux issues, none of them really address this issue. The most common fix is to either disable or run SElinux in permissive mode. And like I said, I'd rather have the enhanced security on a hosting server where users have shell-access.

 

[PriyanA]

I did spend quite a while searching for SElinux issues, none of them really address this issue. The most common fix is to either disable or run SElinux in permissive mode. And like I said, I'd rather have the enhanced security on a hosting server where users have shell-access.

Agreed with Jari.

When "Enforcing" httpd fails to start. Not sure how to fix this.

 

[JariT]

Agreed with Jari.

When "Enforcing" httpd fails to start. Not sure how to fix this.

Getting Apache to work with Panel running with Enforcing is not difficult, it's just basic SElinux-wrangling. Make sure you have auditd running to get logs of what fails. Then you have possibility of doing:

cat /var/log/audit/audit.log | audit2allow -m local

Create own local policy and:

checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

To be honest with you, my local policy has zero rows for Apache. All of them are for mail, Bind and X11. I don't know which distro you have, I'm running on CentOS 6.

 

[Nikolay.]

To be honest with you, my local policy has zero rows for Apache. All of them are for mail, Bind and X11. I don't know which distro you have, I'm running on CentOS 6.

Do you mind sharing your policy for mail and bind if it is Plesk-specific?

 

[PriyanA]

JariT Thank you for your reply.

I could fixed it. Ive posted how did i do it on

http://forum.parallels.com/showthread.php?287002-Plesk-11-(CentOS-6_64bit)-amp-SELinux-Working-Fine

Please add your ideas or correct,

 

[JariT]

Do you mind sharing your policy for mail and bind if it is Plesk-specific?

Sure, its all Panel-specific. Here goes:

module local 1.0;

require {
        type courier_pop_t;
        type mail_spool_t;
        type xauth_t;
        type httpd_sys_content_t;
        type sshd_t;
        type mysqld_t;
        type mysqld_var_run_t;
        type lib_t;
        type postfix_spool_t;
        type var_spool_t;
        type named_t;
        type named_conf_t;
        class sock_file write;
        class unix_stream_socket connectto;
        class capability { setuid setgid };
        class dir { setattr write search read remove_name open getattr add_name };
        class file { read create write getattr link unlink open append rename execute_no_trans lock };
}

#============= named_t ==============
allow named_t named_conf_t:file unlink;

#============= courier_pop_t ==============
allow courier_pop_t mail_spool_t:dir { search setattr read write getattr remove_name open add_name };
allow courier_pop_t mail_spool_t:file { rename read create write getattr link unlink open append };

# Webmail:
allow courier_pop_t lib_t:file execute_no_trans;
allow courier_pop_t postfix_spool_t:dir search;
allow courier_pop_t postfix_spool_t:file { read lock getattr open };
allow courier_pop_t self:capability { setuid setgid };
allow courier_pop_t var_spool_t:dir search;

#============= sshd_t ==============
allow sshd_t mysqld_t:unix_stream_socket connectto;
allow sshd_t mysqld_var_run_t:sock_file write;

#============= xauth_t ==============
allow xauth_t httpd_sys_content_t:dir { write remove_name add_name };
allow xauth_t httpd_sys_content_t:file { open create unlink link };

Most of the policy-changes are for Courier IMAPd and IMP (which are pretty much the same). Occasionally I need to run something GUI-based, so I need working X11 forwarding for SSH. And the first rule for Bind is just to allow bind to clean up its own messes.

 

[PriyanA]

Hi JariT,

Thank you very much for sharing Plesk Policies.

My problem was with Posts, maybe cos im running Ngnix.

I still receive these "denied"s.

When creating a domain via panel,

type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1369057813.317:587): arch=c000003e syscall=59 success=yes exit=0 a0=24fac30 a1=24fa900 a2=24fb170 a3=7fff163c6e20 items=0 ppid=10166 pid=10167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

When deleting a domain via panel,

type=AVC msg=audit(1369057932.659:593): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-NhooaXG7zV" dev=dm-0 ino=787749 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.659:593): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d40 a1=0 a2=7f325c000078 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057932.663:594): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-1u2GCSsPtW" dev=dm-0 ino=787750 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.663:594): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d30 a1=0 a2=7f325c477b40 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

I just dont want to execute, allowing all the "denied" to be "allow".

cat /var/log/audit/audit.log | audit2allow -m local
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

i'd like to do it manually by creating a te.

What are the "require" i should write to allow this,

#============= named_t ==============
allow named_t named_conf_t:file unlink;

also the "rc_actions.log" to be read.

like Nikolay said i think these can be safely ignored.

Would be great if i can fix these "denied"s if its safe to do it so.

Please help me if you can.

Thank you