Results 1 to 5 of 5

Thread: Zimbra and SElinux

  1. #1
    rramsey is offline Starter Member
    Join Date
    Oct 2006
    Posts
    1
    Rep Power
    8

    Default Zimbra and SElinux

    I would like to know the experiences of sysadmins and developers using Zimbra and SELinux. We run SELinux on all of our servers where possible and don't want to compromise. I have searched through the forums and wiki, but only find people suggesting "turn it off". This isn't a solution, just a hack. Has anyone actually written a policy that works? Is there an SELinux module?

    Thanks,

    Ryan

  2. #2
    andreychek is offline Special Member & Volunteer
    Join Date
    Oct 2005
    Location
    Harrisburg, Pennsylvania
    Posts
    155
    Rep Power
    9

    Default

    Quote Originally Posted by rramsey
    I would like to know the experiences of sysadmins and developers using Zimbra and SELinux. We run SELinux on all of our servers where possible and don't want to compromise. I have searched through the forums and wiki, but only find people suggesting "turn it off". This isn't a solution, just a hack. Has anyone actually written a policy that works? Is there an SELinux module?
    Well, on RHEL/CentOS based systems, which come with a Targeted SELinux policy, I haven't seen any problems. Zimbra installs into /opt by default, and thus granted an unconfined_t domain by SELinux.

    While perhaps not as ideal as having a specific SELinux policy built for Zimbra, it would at least allow you to have the rest of the system locked down.

    Zimbra has a lot of components, and I suspect writing such a policy would be no easy task... if you do manage to do that, I'd encourage you to post it on the wiki, there's probably other folks who'd be interested in that as well :-)

    Have a good one,
    -Eric

  3. #3
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    719
    Rep Power
    9

    Default

    See http://bugzilla.zimbra.com/show_bug.cgi?id=13301 for one known problem even if SELinux is in non-enforcing mode.

    I'd feel better if Zimbra had a strong "we don't support SELinux or iptables" statement rather than simply telling people to turn them off.

    I am probably going to run Zimbra with SELinux disabled. I will *not* disable iptables, but I will remove RedHat's default --state, which I've observed causing problems on high-traffic web/email/ldap servers.

    Other than iptables state exhaustion and stupid things like blocking ports that Zimbra is documented to need, what problems could iptables cause for Zimbra? I can understand not wanting to support RedHat's entire OS just to be able to support your product, but can the community think of a real reason that the firewall needs to be disabled?

  4. #4
    bewley's Avatar
    bewley is offline Project Contributor
    Join Date
    Mar 2007
    Posts
    11
    Rep Power
    8

    Default

    Zimbra is open source and you can buy support. From postings it's obvious that paid support doesn't want you to use iptables or SELinux. That's just to save them some headaches I'm sure. There are apparently a lot of linux newbies out there. So that's an easy out.

    It is opensource, it's well behaved, it's based on well known components. If you don't want to turn off iptables leave it on and map out the ports you need to open. It should only take a few minutes. I plan to do the same, but haven't gotten to it yet. For now I'm relying on my firewall, but I prefer to run both.

    Looks like someone has already done it.
    http://wiki.zimbra.com/index.php?tit..._Configuration

    SELinux is a different ball of wax. That will take time.

  5. #5
    Mistoffeles is offline Senior Member
    Join Date
    Oct 2007
    Posts
    70
    Rep Power
    7

    Default

    If you have other services running, you might need to remap the Zimbra ports to higher numbers, but if all you are running on this server is Zimbra all you need to do is use a good iptables configuration. The one posted above I am uncertain about, but iptablesrocks.org contains some standardized iptables scripts of which you could use the standard web server example, adding only the 7071 port that Zimbra requires, for a standalone server.

    For a clustered environment you would also need to add the ports shown in the last section of the script posted above (not the one on iptablesrocks.org).

    IPTables runs fine with Zimbra, SELinux very much does not (and is not nearly as good as most of the babble about it purports).
    - Misty

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Zimbra can't install on Fedora core 6 and FC 4
    By Grejao in forum Installation
    Replies: 3
    Last Post: 04-27-2007, 07:19 AM
  3. Error during the instalation and start services
    By Grejao in forum Installation
    Replies: 1
    Last Post: 04-25-2007, 05:05 PM
  4. Error Starting Zimbra after IP Change
    By wdimmit in forum Administrators
    Replies: 17
    Last Post: 10-31-2006, 04:48 PM
  5. Re-routing mail to Zimbra Server
    By russgalleywood in forum Migration
    Replies: 4
    Last Post: 09-18-2006, 04:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •