CentOS6 & Kolab3.2 Fresh install

Stuart Naylor StuartIanNaylor at inbox.com
Wed Aug 13 02:54:55 CEST 2014


On Sunday 10 August 2014 22:52:18 jonte+kolab at yojimbo.org wrote:


Hi there,


I'm sort of new here and thought I would drop by and give an thumbs up for a very nicely run 
project. While I haven't really done much the project caught my eye about 6 month ago while 
looking for something suitable for an friend to run. Having used *Roundcube* Mail for a very long 
time it dropped by there and that's how I found this place.
For the first couple of months I just read the docs, then in may I tried building an test machine for 
the first time and ehmm nope that didn't work. Was the broken cyrus, so installing from the devel 
tree got the system running but it still lacked the resource management I saw in the docs but 
couldn't figure out why it wasn't working. 


Last week I had another look and /wow/ 3.3 is in beta, here is the */resource management/*... 
ehmm for /CentOS/ that didn't work, /Roundcube/ just didn't startup.  OH and the /kolab-
webadmin-3.2-5.el6.kolab_3.3.noarch.rpm/ is unsigned. oh well it's a beta.


So here are a few observation, but without running an actual machine in production of course, 
and yea it's CentOS


3.2 works very well with the default install, both the Cyrus imapd issue and the clamd.amavisd 
now installs without having to patch the setup script or using beta packages.
For some reason the documentation still say that selinux have to be turned off, this is possibly the 
case, but the https://github.com/kanarip/kolab-selinux[1] got it almost right.
I turn on both 
/usr/sbin/setsebool -P httpd_can_sendmail on # Cyres etc most things email
/usr/sbin/setsebool -P httpd_can_network_connect on # Filters in Roundmail
As for the /kolab.te/ file, it's slightly wrong probably due to the time since it was updated, I 
needed to change one line to add the */initrc_t/* type. 
#============= cyrus_t ==============
allow cyrus_t initrc_t:unix_stream_socket connectto;
Finally I added mod_security, since its after all a web server, so the http application firewall seems 
to fit very nicely for an security conscious individual ( reads: paranoid ).
yum -y install mod_security mod_security_crs mod_security_crs-extras
You probably don't need extras, but I was playing around. Ah the pain. Anyway, 2 things really 
needs adjusted:


     -  To enable active sync, find id 900012 in
/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
     -  add: application/vnd.ms-sync.wbxm


Or you can add the following to the file */etc/httpd/conf.d/kolab-syncroton.conf*
<LocationMatch "^/Microsoft-Server-ActiveSync">
  SecRuleRemoveById 960010
  SecRuleRemoveById 960017 
</LocationMatch>
For the WAP pages, you need to add the following to the file //etc/httpd/conf.d/kolab-webadmin.conf/
<LocationMatch "^/kolab-webadmin/.*">
  SecRuleRemoveById 950007
  SecRuleRemoveById 960011
  SecRuleRemoveById 960015
  SecRuleRemoveById 960024
  SecRuleRemoveById 981173
  SecRuleRemoveById 981243
  SecRuleRemoveById 981245
  SecRuleRemoveById 981246
  SecRuleRemoveById 981257
</LocationMatch>
And now everything seems to work. If you're going to play around with mod_security, please 
know what your doing, it's an pain to figure out what's wrong. I cheated and used 
*http://www.samhobbs.co.uk/2014/05/apache-modsecurity-whitelist-generator-script[2]* to 
track down which modules where venerable, and it would probably be best if the mechanism didn't 
trigger these alerts, but I'm not an developer so it's probably safe. 


In conclusion I'm looking forward to 3.3 with the resource module coming out of beta and being 
released. Keep up the good work and keep your SElinux enabled. 


Cheers,
     Jonte.
 


To be honest jumping from debian selinux confused the hell out of me.
Initially I installed git and cloned from kanarip
Did a make -f /usr/share/selinux/devel/Makefile & semodule -i kolab.pp

Maybe my noobness but wasn't able to send emails.

So I started again fresh with a clean audit.log and did as many actions as possible.

created my own folder selinux & ran audit2allow -M kolab < /var/log/audit/audit.log


 /usr/sbin/setsebool -P httpd_can_sendmail on
 /usr/sbin/setsebool -P httpd_can_network_connect on
/usr/sbin/setsebool -P allow_ypbind on

so did the above cleaned audit.log removed the previous policy reboot and try some stuff again.

I ended up with a small te file and I guess all the sll and stuff is missing and also I should add the 
missing kanarip te entries.

module kolab 1.0;

require {
	type cyrus_t;
	type var_log_t;
	type dirsrvadmin_t;
	type postfix_smtpd_t;
	type postfix_master_t;
	type initrc_t;
	type console_device_t;
	class unix_stream_socket connectto;
	class file write;
	class chr_file open;
}

#============= cyrus_t ==============
allow cyrus_t initrc_t:unix_stream_socket connectto;

#============= dirsrvadmin_t ==============
allow dirsrvadmin_t console_device_t:chr_file open;

#============= postfix_master_t ==============
allow postfix_master_t var_log_t:file write;

#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;

Edited /etc/selinux/config back to enforcing

reboot

Things seem to be running fine but haven't done the ssl side of things yet.

Just wondered by doing that way I have just accepted quite wide ranging defaults? Or is this 
dumb noob getting his head round selinux :)

Stuart



--------
[1] https://github.com/kanarip/kolab-selinux
[2] http://www.samhobbs.co.uk/2014/05/apache-modsecurity-whitelist-generator-script

____________________________________________________________
Can't remember your password? Do you need a strong and secure password?
Use Password manager! It stores your passwords & protects your account.
Check it out at http://mysecurelogon.com/password-manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140813/ff8d5ee7/attachment-0001.html>


More information about the users mailing list