Saturday, August 27, 2016

Mod_security issues with Roundcube, opencloud and other software

In case you find roundcube, opencloud or any other software working under apache/mod_security server having issues or strange behaviour check /var/log/httpd/modsec_audit.log for errors.

In my case I was not able to send/forward emails with national ("non-english") characters in the message content.

Some of the mod_security rules are outdated and they can produce false-positives.

Sample issue:
Message: Access denied with code 403 (phase 2). Pattern match "\\W{4,}" at ARGS:_message. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: ):\x0d\x0a>  found within ARGS:_message:...

If you believe that rule is not needed for your application you need to edit httpd.conf and add following rule to your (VirtualHost) config:
SecRuleRemoveById 960024

Restart apache, check if your app works now, if not - check for more issues in modsec_audit.log.

Sunday, August 7, 2016

Cannot start teamviewer in Fedora 24

Default installation of Teamviewer on Fedora 24 will not start due to SELinux issues.

# systemctl -a | grep teamviewer
  teamviewerd.service  loaded   inactive dead  TeamViewer remote control daemon

# systemctl start teamviewerd.service
Job for teamviewerd.service failed because a fatal signal was delivered to the control process. See "systemctl status teamviewerd.service" and "journalctl -xe" for details.

To fix it you can use SELinux GUI tool:
sealert -b

Or CLI tool:
ausearch -c 'teamviewerd'

Or you can check system logs:
# journalctl -xe
aug 04 14:23:17 fedora setroubleshoot[3240]: SELinux is preventing teamviewerd from using the execmem access on a process. For complete SELinux messages. run sealert -l 7c667284-3d59-4c06-9535-2aed4b8015df
aug 04 14:23:17 fedora python3[3240]: SELinux is preventing teamviewerd from using the execmem access on a process.
                                      *****  Plugin catchall (100. confidence) suggests   **************************
                                      If you believe that teamviewerd should be allowed execmem access on processes labeled init_t by default.
                                      Then you should report this as a bug.
                                      You can generate a local policy module to allow this access.
                                      allow this access for now by executing:
                                      # ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
                                      # semodule -X 300 -i my-teamviewerd.pp

The solution(shown as a hint in sealert and journalctl), which is to run:
# ausearch -c 'teamviewerd' --raw | audit2allow -M my-teamviewerd
# semodule -X 300 -i my-teamviewerd.pp

 After that you should be able to start Teamviewer service:
 systemctl start teamviewerd.service
[root ~] # systemctl status teamviewerd.service
● teamviewerd.service - TeamViewer remote control daemon
   Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
   Active: active (running) since sun 2016-08-04 14:32:45 CEST; 1min 50s ago
  Process: 4228 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
 Main PID: 4230 (teamviewerd)
    Tasks: 19 (limit: 512)
   CGroup: /system.slice/teamviewerd.service
           └─4230 /opt/teamviewer/tv_bin/teamviewerd -d

aug 04 14:32:45 fedora systemd[1]: Starting TeamViewer remote control daemon...
aug 04 14:32:45 fedora systemd[1]: teamviewerd.service: PID file /var/run/ not readable (yet?) after start: No such file or directory
aug 04 14:32:45 fedora systemd[1]: Started TeamViewer remote control daemon.