Hi all,
I have some AVC in the logs and wonder how to resolve this: Under
EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
# tail -1 /etc/fstab
tmpfs /var/lib/php/session tmpfs
defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0"
0 0
# df -a |grep php
tmpfs 16384 0 16384 0% /var/lib/php/session
# ls -laZ /var/lib/php/session
insgesamt 0
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24.
Jul 15:36 .
drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7.
Jul 10:54 ..
the applications can read the session data without any problems.
When I reboot the system following AVC appears:
# last |grep ^re|head -3
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 (01:54)
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 (12:13)
# ausearch -m avc --start today
----
time->Fri Jul 24 01:20:08 2020
type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for
pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
----
time->Fri Jul 24 13:34:04 2020
type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for
pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
----
time->Fri Jul 24 15:28:40 2020
type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for
pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
I wonder about the "remount" and the comm="ostnamed".
I do not found any ostnamed application, the closest is hostnamed.
Should the tmpfs be mounted differently (without fstab entry)?
To get rid of the AVC I could add the corresponding policy
"allow init_t httpd_var_run_t:filesystem remount;" but is this
not a bit of overkill?
Any hints about what the cause is?
I'd really appreciate any ideas on this.
--
Leon
Hi Leon, have you tried mounting with 'httpd_sys_rw_content_t' instead of 'httpd_var_run_t' ? Best Regards, Strahil Nikolov ?? 25 ??? 2020 ?. 14:20:19 GMT+03:00, Leon Fauster via CentOS <centos at centos.org> ??????:>Hi all, > >I have some AVC in the logs and wonder how to resolve this: Under >EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. > > ># tail -1 /etc/fstab >tmpfs /var/lib/php/session tmpfs >defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" > > 0 0 > ># df -a |grep php >tmpfs 16384 0 16384 0% /var/lib/php/session > ># ls -laZ /var/lib/php/session >insgesamt 0 >drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. >Jul 15:36 . >drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. >Jul 10:54 .. > > >the applications can read the session data without any problems. > > > >When I reboot the system following AVC appears: > ># last |grep ^re|head -3 >reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running >reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 >(01:54) >reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 >(12:13) > > ># ausearch -m avc --start today >---- >time->Fri Jul 24 01:20:08 2020 >type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for >pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >permissive=0 >---- >time->Fri Jul 24 13:34:04 2020 >type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for >pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >permissive=0 >---- >time->Fri Jul 24 15:28:40 2020 >type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for >pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >permissive=0 > > >I wonder about the "remount" and the comm="ostnamed". > >I do not found any ostnamed application, the closest is hostnamed. > >Should the tmpfs be mounted differently (without fstab entry)? > >To get rid of the AVC I could add the corresponding policy >"allow init_t httpd_var_run_t:filesystem remount;" but is this >not a bit of overkill? > >Any hints about what the cause is? > >I'd really appreciate any ideas on this. > >-- >Leon > > > > > > > >_______________________________________________ >CentOS mailing list >CentOS at centos.org >https://lists.centos.org/mailman/listinfo/centos
Am 26.07.20 um 12:23 schrieb Strahil Nikolov:> > ?? 25 ??? 2020 ?. 14:20:19 GMT+03:00, Leon Fauster via CentOS <centos at centos.org> ??????: >> Hi all, >> >> I have some AVC in the logs and wonder how to resolve this: Under >> EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. >> >> >> # tail -1 /etc/fstab >> tmpfs /var/lib/php/session tmpfs >> defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" >> >> 0 0 >> >> # df -a |grep php >> tmpfs 16384 0 16384 0% /var/lib/php/session >> >> # ls -laZ /var/lib/php/session >> insgesamt 0 >> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. >> Jul 15:36 . >> drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. >> Jul 10:54 .. >> >> >> the applications can read the session data without any problems. >> >> >> >> When I reboot the system following AVC appears: >> >> # last |grep ^re|head -3 >> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running >> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 >> (01:54) >> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 >> (12:13) >> >> >> # ausearch -m avc --start today >> ---- >> time->Fri Jul 24 01:20:08 2020 >> type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for >> pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >> permissive=0 >> ---- >> time->Fri Jul 24 13:34:04 2020 >> type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for >> pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >> permissive=0 >> ---- >> time->Fri Jul 24 15:28:40 2020 >> type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for >> pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >> permissive=0 >> >> >> I wonder about the "remount" and the comm="ostnamed". >> >> I do not found any ostnamed application, the closest is hostnamed. >> >> Should the tmpfs be mounted differently (without fstab entry)? >> >> To get rid of the AVC I could add the corresponding policy >> "allow init_t httpd_var_run_t:filesystem remount;" but is this >> not a bit of overkill? >> >> Any hints about what the cause is? >> >> I'd really appreciate any ideas on this. >> >> > Hi Leon, > > have you tried mounting with 'httpd_sys_rw_content_t' instead of 'httpd_var_run_t' ? > The latter is the standard selinux context. So I prefer to go with it. umount /var/lib/php/session restorecon -v -R /var/lib/php/ # LANG=C ls -laZ /var/lib/php/session total 8 drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May 7 04:39 . mount /var/lib/php/session/ # LANG=C ls -laZ /var/lib/php/session total 4 drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 Jul 26 17:19 . The application does NOT have any problems to write to this directory. Its "just" the audit/AVC denys that are the issues ... I'm not sure what triggers this remounts? -- Leon
On Jul 25, 2020, at 07:20, Leon Fauster via CentOS <centos at centos.org> wrote:> > I wonder about the "remount" and the comm="ostnamed". > > I do not found any ostnamed application, the closest is hostnamed.You don?t happen to have snapd installed, do you? I can see several bugs posted related to snapd and selinux failures similar to that. -- Jonathan Billings