Hi all,
I have some AVC in the logs and wonder how to resolve this: Under
EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
# tail -1 /etc/fstab
tmpfs /var/lib/php/session tmpfs
defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0"
0 0
# df -a |grep php
tmpfs 16384 0 16384 0% /var/lib/php/session
# ls -laZ /var/lib/php/session
insgesamt 0
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24.
Jul 15:36 .
drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7.
Jul 10:54 ..
the applications can read the session data without any problems.
When I reboot the system following AVC appears:
# last |grep ^re|head -3
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 (01:54)
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 (12:13)
# ausearch -m avc --start today
----
time->Fri Jul 24 01:20:08 2020
type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for
pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
----
time->Fri Jul 24 13:34:04 2020
type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for
pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
----
time->Fri Jul 24 15:28:40 2020
type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for
pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0
I wonder about the "remount" and the comm="ostnamed".
I do not found any ostnamed application, the closest is hostnamed.
Should the tmpfs be mounted differently (without fstab entry)?
To get rid of the AVC I could add the corresponding policy
"allow init_t httpd_var_run_t:filesystem remount;" but is this
not a bit of overkill?
Any hints about what the cause is?
I'd really appreciate any ideas on this.
--
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos