Tmpfs / Selinux Issue

Home » CentOS » Tmpfs / Selinux Issue
CentOS 4 Comments

Hi all,

I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.

# tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,modew0,gid=apache,size777216,context=”system_u:object_r:httpd_var_run_t:s0″
0 0

# df -a |grep php tmpfs 16384 0 16384 0% /var/lib/php/session

# ls -laZ /var/lib/php/session insgesamt 0
drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. Jul 10:54 ..

the applications can read the session data without any problems.

When I reboot the system following AVC appears:

# last |grep ^re|head -3
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 – 15:27 (01:54)
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 – 13:33 (12:13)

# ausearch -m avc –start today

4 thoughts on - Tmpfs / Selinux Issue

  • Hi Leon,

    have you tried mounting with ‘httpd_sys_rw_content_t’ instead of ‘httpd_var_run_t’ ?

    Best Regards, Strahil Nikolov

    На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS написа:

  • Am 26.07.20 um 12:23 schrieb Strahil Nikolov:

    >
    > Hi Leon,
    >
    > have you tried mounting with ‘httpd_sys_rw_content_t’ instead of
    ‘httpd_var_run_t’ ?
    >

    The latter is the standard selinux context. So I prefer to go with it.

    umount /var/lib/php/session restorecon -v -R /var/lib/php/

    # LANG=C ls -laZ /var/lib/php/session total 8
    drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May
    7 04:39 .

    mount /var/lib/php/session/
    # LANG=C ls -laZ /var/lib/php/session total 4
    drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 Jul
    26 17:19 .

    The application does NOT have any problems to write to this directory.

    Its “just” the audit/AVC denys that are the issues …

    I’m not sure what triggers this remounts?


    Leon

  • You don’t happen to have snapd installed, do you? I can see several bugs posted related to snapd and selinux failures similar to that.


    Jonathan Billings

  • Am 26.07.20 um 17:23 schrieb Leon Fauster:

    It seems related to namespaces of systemd execution environments, especially this setting:

    $ grep -R PrivateD /usr/lib/systemd/system
    /usr/lib/systemd/system/haveged.service:PrivateDevices=true
    /usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:PrivateDevices=yes
    /usr/lib/systemd/system/systemd-localed.service:PrivateDevices=yes
    /usr/lib/systemd/system/systemd-hostnamed.service:PrivateDevices=yes
    /usr/lib/systemd/system/systemd-coredump@.service:PrivateDevices=yes
    /usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:PrivateDevices=yes
    /usr/lib/systemd/system/systemd-resolved.service:PrivateDevices=yes

    So I migrate the above mentioned (EL6 legacy) configuration to /run. More compliant with EL8 and no AVC logs anymore.


    Leon