Greetings!
The ejabberd Fedora package has its own SELinux policy module that it ships[0]. A user has reported an issue with an SELinux denial with the default ejabberd config[1].
I spent some time trying to modify the policy to allow the name_bind on the port, but it seems that my attempts result in it still being denied:
allow ejabberd_t unreserved_port_t:udp_socket name_bind;
As I commented on the ticket, I also found that setting the nis_enabled bool on my system to true would solve the problem.
However, I think it would be ideal if I could adjust the ejabberd module to do this on the users' behalf, as it is not obvious to the average user (or even to me) that this boolean could be the solution to the problem.
Is there something I could adjust in the ejabberd policy that would resolve this issue? Thanks.
[0] https://src.fedoraproject.org/rpms/ejabberd/blob/rawhide/f/ejabberd.te [1] https://bugzilla.redhat.com/show_bug.cgi?id=1901466
Randy Barlow a écrit :
Greetings!
The ejabberd Fedora package has its own SELinux policy module that it ships[0]. A user has reported an issue with an SELinux denial with the default ejabberd config[1].
I spent some time trying to modify the policy to allow the name_bind on the port, but it seems that my attempts result in it still being denied:
allow ejabberd_t unreserved_port_t:udp_socket name_bind;
Hi Randy,
Thank you so much for your work! I'm spending time every year to fix AVCs for ejabberd (on my systems) without going deep in this issue. But I stored all .te files, so I'm happy to be able to compare with your .te file :)
File: ejabberd-udp-unreserved_port-fedora-33.te
""" module ejabberd-udp-unreserved_port-fedora-33 1.0;
require { type unreserved_port_t; type ejabberd_t; class udp_socket name_bind; }
#============= ejabberd_t ==============
#!!!! This avc can be allowed using the boolean 'nis_enabled' allow ejabberd_t unreserved_port_t:udp_socket name_bind; """
As I commented on the ticket, I also found that setting the nis_enabled bool on my system to true would solve the problem.
How did you do that... I mean, you have found the Graal...
However, I think it would be ideal if I could adjust the ejabberd module to do this on the users' behalf, as it is not obvious to the average user (or even to me) that this boolean could be the solution to the problem.
The Graal, I said :)
Is there something I could adjust in the ejabberd policy that would resolve this issue? Thanks.
On my side, I will make a fresh install on fresh box to see what is exactly required or not, then compare, then send you PR :)
I also want to see what is required with the default ejabberd config and with my "advanced" config file.
Best regards, Casper
Hey Casper!
I ended up finding out what my problem was. The policy I had mentioned trying in my first post ended up being correct after all. It turned out that I had a rogue ejabberd policy in the system in addition to the policy I was testing, and the rogue policy had higher priority than the one provided by the RPM ☹
I must have installed this policy by hand some time in the past and forgotten to remove it. After removing it, I found that I just needed one more line on the policy to address this issue:
https://src.fedoraproject.org/rpms/ejabberd/c/d48066216cac7e2ec1626d65376313...
With this policy I am able to run ejabberd with STUN/TURN enabled and with the nis_enabled bool disabled.
There are updates for F33-36 in Bodhi now:
selinux@lists.fedoraproject.org
-
Casper -
Randy Barlow