Page MenuHomePhorge

SELinux **MUST** not be enforcing
Open, NormalPublic

Assigned To
Authored By
vanmeeuwen
Feb 4 2016, 10:29 PM
Referenced Files
None
Tokens
"Like" token, awarded by vincent."Like" token, awarded by vanmeeuwen."Like" token, awarded by petersen.

Description

People find themselves skipping steps of the installation guide's "preparing your system" section, only to discover services do not start and Kolab Groupware is dysfunctional.

I propose a check be introduced that is executed as part of setup-kolab, that learns the system configuration and current run-time state, and errors out fatally if the configuration is inappropriate -- pointing out to some information on the subject.

Implementation Design Considerations

  • /sys/fs/selinux/enforce does not exist: SELinux disabled (GOOD, however bad).
  • /sys/fs/selinux/enforce contains 1: SELinux enforces one or the other policy (it doesn't matter which) -> (BAD, however good)
  • /sys/fs/selinux/enforce contains 0: SELinux does not enforce any policy, but does audit policy violations (GOOD, however bad)

This shall be the first or second item that executing setup-kolab checks for, however does not state in which capacity the system may come back up after reboot.

The command sestatus could be used, with sample output:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

exec() and line-by-line parsing should then be used.

We would NOT amend the configuration to ensure the Kolab installation is successful and the system's security reduced without the user's explicit (and manual) intervention.

Details

Ticket Type
Task

Event Timeline

CentOS 7 runs a targeted SE Linux policy, which seems to work with minimal changes.
Please, let's fix what might be missing (until now it was easy...) instead of disabling
SELinux completely.

I've been pointed to the git repostitory for kolab-setup to target more daemons - that's
probably a further change - let's get Kolab working with a CentOS install with SELinux
still enabled.

In T978#13819, @jh23453 wrote:

CentOS 7 runs a targeted SE Linux policy, which seems to work with minimal changes.
Please, let's fix what might be missing (until now it was easy...) instead of disabling
SELinux completely.

Nobody has ever suggested to disable SELinux completely. Dan Walsh would skin me alive for such nonsense. All we require currently is that it does not enforce the targeted policy.

In T978#13819, @jh23453 wrote:

I've been pointed to the git repostitory for kolab-setup to target more daemons - that's
probably a further change - let's get Kolab working with a CentOS install with SELinux
still enabled.

I have no knowledge of any git repository for setup-kolab that targets more daemons. Please share if you feel inclined -- but not in this ticket.

Kolab does work with SELinux enabled, it just does not work with SELinux enforcing the targeted policy. If your idea is to make Kolab work with SELinux enforcing the target policy, I'm all for it. Simply doing audit2allow does not satisfy me, however. Quite some time ago, I had started spending some of my scarce spare time on writing a proper policy, which you can find here: https://github.com/kanarip/kolab-selinux/.

In any case, until the work on that completes -- under the umbrella of a different ticket -- this ticket remains valid.

vanmeeuwen edited a custom field.
vanmeeuwen removed projects: Sprint 201607, PyKolab.
vanmeeuwen edited a custom field.
vanmeeuwen lowered the priority of this task from 60 to Normal.Mar 22 2019, 12:28 PM

Correcting the priority from 60/40 to Normal