Re: tmpfs / selinux issue

[Leon Fauster via CentOS <centos@xxxxxxxxxx>]

Am 26.07.20 um 12:23 schrieb Strahil Nikolov:

> На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS <centos@xxxxxxxxxx> написа:
> > Hi all,
> >
> > I have some AVC in the logs and wonder how to resolve this: Under
> > EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
> >
> >
> > # tail -1 /etc/fstab
> > tmpfs  /var/lib/php/session  tmpfs
> > defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0"
> >
> >   0 0
> >
> > # df -a |grep php
> > tmpfs              16384       0     16384    0% /var/lib/php/session
> >
> > # ls -laZ /var/lib/php/session
> > insgesamt 0
> > drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24.
> > Jul 15:36 .
> > drwxr-xr-x. 6 root root   system_u:object_r:httpd_var_lib_t:s0 68  7.
> > Jul 10:54 ..
> >
> >
> > the applications can read the session data without any problems.
> >
> >
> >
> > When I reboot the system following AVC appears:
> >
> > # last |grep ^re|head -3
> > reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 15:28   still running
> > reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27
> > (01:54)
> > reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33
> > (12:13)
> >
> >
> > # ausearch -m avc --start today
> > ----
> > time->Fri Jul 24 01:20:08 2020
> > type=AVC msg=audit(1595546408.754:28): avc:  denied  { remount } for
> > pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
> > permissive=0
> > ----
> > time->Fri Jul 24 13:34:04 2020
> > type=AVC msg=audit(1595590444.080:29): avc:  denied  { remount } for
> > pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
> > permissive=0
> > ----
> > time->Fri Jul 24 15:28:40 2020
> > type=AVC msg=audit(1595597320.783:28): avc:  denied  { remount } for
> > pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
> > tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
> > permissive=0
> >
> >
> > I wonder about the "remount" and the comm="ostnamed".
> >
> > I do not found any ostnamed application, the closest is hostnamed.
> >
> > Should the tmpfs be mounted differently (without fstab entry)?
> >
> > To get rid of the AVC I could add the corresponding policy
> > "allow init_t httpd_var_run_t:filesystem remount;" but is this
> > not a bit of overkill?
> >
> > Any hints about what the cause is?
> >
> > I'd really appreciate any ideas on this.
>
> Hi  Leon,
>
> have you tried mounting with 'httpd_sys_rw_content_t'  instead  of 
'httpd_var_run_t' ?
>


The latter is the standard selinux context. So I prefer to go with it.

umount /var/lib/php/session
restorecon -v -R /var/lib/php/

# LANG=C ls -laZ  /var/lib/php/session
total 8
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May 
7 04:39 .


mount /var/lib/php/session/
# LANG=C ls -laZ  /var/lib/php/session
total 4
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0   40 Jul 
26 17:19 .


The application does NOT have any problems to write to this directory.

Its "just" the audit/AVC denys that are the issues ...

I'm not sure what triggers this remounts?

--
Leon

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos