In case you find roundcube, opencloud or any other software working under apache/mod_security server having issues or strange behaviour check /var/log/httpd/modsec_audit.log for errors.
In my case I was not able to send/forward emails with national ("non-english") characters in the message content.
Some of the mod_security rules are outdated and they can produce false-positives.
Sample issue:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:_message. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ):\x0d\x0a> found within ARGS:_message:...
If you believe that rule is not needed for your application you need to edit httpd.conf and add following rule to your (VirtualHost) config:
SecRuleRemoveById 960024
Restart apache, check if your app works now, if not - check for more issues in modsec_audit.log.
Saturday, August 27, 2016
Sunday, August 7, 2016
Cannot start teamviewer in Fedora 24
Default installation of Teamviewer on Fedora 24 will not start due to SELinux issues.
# systemctl -a | grep teamviewer
teamviewerd.service loaded inactive dead TeamViewer remote control daemon
# systemctl start teamviewerd.service
Job for teamviewerd.service failed because a fatal signal was delivered to the control process. See "systemctl status teamviewerd.service" and "journalctl -xe" for details.
To fix it you can use SELinux GUI tool:
sealert -b
Or CLI tool:
ausearch -c 'teamviewerd'
Or you can check system logs:
# journalctl -xe
aug 04 14:23:17 fedora setroubleshoot[3240]: SELinux is preventing teamviewerd from using the execmem access on a process. For complete SELinux messages. run sealert -l 7c667284-3d59-4c06-9535-2aed4b8015df
aug 04 14:23:17 fedora python3[3240]: SELinux is preventing teamviewerd from using the execmem access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that teamviewerd should be allowed execmem access on processes labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
The solution(shown as a hint in sealert and journalctl), which is to run:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
After that you should be able to start Teamviewer service:
systemctl start teamviewerd.service
[root ~] # systemctl status teamviewerd.service
● teamviewerd.service - TeamViewer remote control daemon
Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
Active: active (running) since sun 2016-08-04 14:32:45 CEST; 1min 50s ago
Process: 4228 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
Main PID: 4230 (teamviewerd)
Tasks: 19 (limit: 512)
CGroup: /system.slice/teamviewerd.service
└─4230 /opt/teamviewer/tv_bin/teamviewerd -d
aug 04 14:32:45 fedora systemd[1]: Starting TeamViewer remote control daemon...
aug 04 14:32:45 fedora systemd[1]: teamviewerd.service: PID file /var/run/teamviewerd.pid not readable (yet?) after start: No such file or directory
aug 04 14:32:45 fedora systemd[1]: Started TeamViewer remote control daemon.
# systemctl -a | grep teamviewer
teamviewerd.service loaded inactive dead TeamViewer remote control daemon
# systemctl start teamviewerd.service
Job for teamviewerd.service failed because a fatal signal was delivered to the control process. See "systemctl status teamviewerd.service" and "journalctl -xe" for details.
To fix it you can use SELinux GUI tool:
sealert -b
Or CLI tool:
ausearch -c 'teamviewerd'
Or you can check system logs:
# journalctl -xe
aug 04 14:23:17 fedora setroubleshoot[3240]: SELinux is preventing teamviewerd from using the execmem access on a process. For complete SELinux messages. run sealert -l 7c667284-3d59-4c06-9535-2aed4b8015df
aug 04 14:23:17 fedora python3[3240]: SELinux is preventing teamviewerd from using the execmem access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that teamviewerd should be allowed execmem access on processes labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
The solution(shown as a hint in sealert and journalctl), which is to run:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp
After that you should be able to start Teamviewer service:
systemctl start teamviewerd.service
[root ~] # systemctl status teamviewerd.service
● teamviewerd.service - TeamViewer remote control daemon
Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
Active: active (running) since sun 2016-08-04 14:32:45 CEST; 1min 50s ago
Process: 4228 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
Main PID: 4230 (teamviewerd)
Tasks: 19 (limit: 512)
CGroup: /system.slice/teamviewerd.service
└─4230 /opt/teamviewer/tv_bin/teamviewerd -d
aug 04 14:32:45 fedora systemd[1]: Starting TeamViewer remote control daemon...
aug 04 14:32:45 fedora systemd[1]: teamviewerd.service: PID file /var/run/teamviewerd.pid not readable (yet?) after start: No such file or directory
aug 04 14:32:45 fedora systemd[1]: Started TeamViewer remote control daemon.
Subscribe to:
Posts (Atom)