Zimbra and SElinux

[rramsey]

I would like to know the experiences of sysadmins and developers using Zimbra and SELinux. We run SELinux on all of our servers where possible and don't want to compromise. I have searched through the forums and wiki, but only find people suggesting "turn it off". This isn't a solution, just a hack. Has anyone actually written a policy that works? Is there an SELinux module?

Thanks,

Ryan

[andreychek]

Quote:

Originally Posted by rramsey

I would like to know the experiences of sysadmins and developers using Zimbra and SELinux. We run SELinux on all of our servers where possible and don't want to compromise. I have searched through the forums and wiki, but only find people suggesting "turn it off". This isn't a solution, just a hack. Has anyone actually written a policy that works? Is there an SELinux module?

Well, on RHEL/CentOS based systems, which come with a Targeted SELinux policy, I haven't seen any problems. Zimbra installs into /opt by default, and thus granted an unconfined_t domain by SELinux.

While perhaps not as ideal as having a specific SELinux policy built for Zimbra, it would at least allow you to have the rest of the system locked down.

Zimbra has a lot of components, and I suspect writing such a policy would be no easy task... if you do manage to do that, I'd encourage you to post it on the wiki, there's probably other folks who'd be interested in that as well :-)

Have a good one,
-Eric

[Rich Graves]

See http://bugzilla.zimbra.com/show_bug.cgi?id=13301 for one known problem even if SELinux is in non-enforcing mode.

I'd feel better if Zimbra had a strong "we don't support SELinux or iptables" statement rather than simply telling people to turn them off.

I am probably going to run Zimbra with SELinux disabled. I will *not* disable iptables, but I will remove RedHat's default --state, which I've observed causing problems on high-traffic web/email/ldap servers.

Other than iptables state exhaustion and stupid things like blocking ports that Zimbra is documented to need, what problems could iptables cause for Zimbra? I can understand not wanting to support RedHat's entire OS just to be able to support your product, but can the community think of a real reason that the firewall needs to be disabled?

[bewley]

Zimbra is open source and you can buy support. From postings it's obvious that paid support doesn't want you to use iptables or SELinux. That's just to save them some headaches I'm sure. There are apparently a lot of linux newbies out there. So that's an easy out.

It is opensource, it's well behaved, it's based on well known components. If you don't want to turn off iptables leave it on and map out the ports you need to open. It should only take a few minutes. I plan to do the same, but haven't gotten to it yet. For now I'm relying on my firewall, but I prefer to run both.

Looks like someone has already done it.
http://wiki.zimbra.com/index.php?tit..._Configuration

SELinux is a different ball of wax. That will take time.

[Mistoffeles]

If you have other services running, you might need to remap the Zimbra ports to higher numbers, but if all you are running on this server is Zimbra all you need to do is use a good iptables configuration. The one posted above I am uncertain about, but iptablesrocks.org contains some standardized iptables scripts of which you could use the standard web server example, adding only the 7071 port that Zimbra requires, for a standalone server.

For a clustered environment you would also need to add the ports shown in the last section of the script posted above (not the one on iptablesrocks.org).

IPTables runs fine with Zimbra, SELinux very much does not (and is not nearly as good as most of the babble about it purports).