tmpfs / selinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi all,

I have some AVC in the logs and wonder how to resolve this: Under
EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.


# tail -1 /etc/fstab
tmpfs /var/lib/php/session tmpfs defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 0 0 

# df -a |grep php
tmpfs              16384       0     16384    0% /var/lib/php/session

# ls -laZ /var/lib/php/session
insgesamt 0
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. Jul 10:54 .. 


the applications can read the session data without any problems.



When I reboot the system following AVC appears:

# last |grep ^re|head -3
reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 15:28   still running
reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27  (01:54)
reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33  (12:13)


# ausearch -m avc --start today
----
time->Fri Jul 24 01:20:08 2020
type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0 
----
time->Fri Jul 24 13:34:04 2020
type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0 
----
time->Fri Jul 24 15:28:40 2020
type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem permissive=0 


I wonder about the "remount" and the comm="ostnamed".

I do not found any ostnamed application, the closest is hostnamed.

Should the tmpfs be mounted differently (without fstab entry)?

To get rid of the AVC I could add the corresponding policy
"allow init_t httpd_var_run_t:filesystem remount;" but is this
not a bit of overkill?

Any hints about what the cause is?

I'd really appreciate any ideas on this.

--
Leon







_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux