Did you know? SELinux is not a Zimbra feature

This blog is about something that is not a Zimbra feature, yes you read it correctly, usually on the blog we highlight new or existing features. But this blog is a little different. Every now and then people write in the Zimbra forums or comment on blog posts saying they run Zimbra with SELinux in enforcing mode. This blog is an explanation why that does not bring the security benefits that are often assumed.

What is SELinux?

Security-Enhanced Linux (SELinux) defines access controls for processes and files on a Linux system. SELinux uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed. Each file and each process running on a system with SELinux will have a so-called label. The label tells SELinux what policy to apply when determining if a specific action is permitted or denied. An action can be a write to a certain location, accessing a block device, connect to the network and so on. For more on SELinux see: https://www.redhat.com/en/topics/linux/what-is-selinux

Am I using SELinux?

If you are using a RedHat based distribution and did not disable SELinux, it should be in enforcing mode by default. You can check this by running the following command as root:

# getenforce
Enforcing

Enforcing mode means that SELinux will apply policies and will deny access in case some process is doing something it is not supposed to. Depending on your OS version you will see a log message “avc: denied” in /var/log/messages or /var/log/audit/audit.log or via journalctl. Other modes are permissive, where only the logs are generated but nothing is actually denied. Finally SELinux can be disabled, which means it does not do anything.

So why does SELinux don’t work with Zimbra?

To bring freedom of choice to our customers, Zimbra is designed to work on various operating systems. Throughout history we have supported the most popular operating systems at any given time. At some point we supported Debian, Fedora, SuSe and even MacOS. Currently we support RedHat, Oracle Linux, CentOS, Rocky Linux and Ubuntu.

And here we face an issue and that is that SELinux is a security mechanism that only works on RedHat based distributions. Ubuntu for example offers AppArmor to bring functionality similar to SELinux.

Unfortunately because SELinux is not cross-platform is was never really implemented in Zimbra and we are currently not planning supporting it.

So how does Zimbra work with SELinux?

Zimbra runs, but is not protected by SELinux. You can see this by running the command ps -xZ on your Zimbra server as root:

# ps -xZ | grep zimbra
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4181 ? Ss   0:00 nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 4706 ? Ss   0:00 /opt/zimbra/common/libexec/master -w
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5594 ? S   0:00 sudo /opt/zimbra/libexec/zmstat-fd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 5627 ? S   0:00 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-fd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 14492 ? Ss   0:00 /opt/zimbra/libexec/zmmailboxdmgr start ... -Djava.net.preferIPv4Stack=true ...

The label unconfined_t is described in RedHat documentation as follows:

Unconfined Linux users run in the unconfined_t domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules – it does not replace them.

By DAC rules the documentation refers to standard read-write permissions of the Linux file systems which are supported by Zimbra. And file system ACL’s which are not implemented in Zimbra.

So do I disable SELinux?

SELinux can still prevent non-zimbra processes that are installed via the OS distribution from doing bad things if they have unpatched security issues. So in that perspective you can still use SELinux. But with the above information you will understand that most of the attacks on Zimbra, happen on processes that are running unconfined. So in most cases SELinux is not going to help. The only real disadvantage of SELinux is that sometimes when you update your system a relabeling of (all) files on a server can be triggered, which can cause performance issues, or a really slow system startup.

Further reading

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-targeted_policy-unconfined_processes
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-introduction