Tmpfs / Selinux Issue
Hi all,
I have some AVC in the logs and wonder how to resolve this: Under EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
# tail -1 /etc/fstab tmpfs /var/lib/php/session tmpfs defaults,noatime,modew0,gid=apache,size777216,context=”system_u:object_r:httpd_var_run_t:s0″
0 0
# df -a |grep php tmpfs 16384 0 16384 0% /var/lib/php/session
# ls -laZ /var/lib/php/session insgesamt 0
drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. Jul 15:36 . drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. Jul 10:54 ..
the applications can read the session data without any problems.
When I reboot the system following AVC appears:
# last |grep ^re|head -3
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 – 15:27 (01:54)
reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 – 13:33 (12:13)
# ausearch -m avc –start today
—
4 thoughts on - Tmpfs / Selinux Issue
Hi Leon,
have you tried mounting with ‘httpd_sys_rw_content_t’ instead of ‘httpd_var_run_t’ ?
Best Regards, Strahil Nikolov
На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS написа:
Am 26.07.20 um 12:23 schrieb Strahil Nikolov:
>
> Hi Leon,
>
> have you tried mounting with ‘httpd_sys_rw_content_t’ instead of
‘httpd_var_run_t’ ?
>
The latter is the standard selinux context. So I prefer to go with it.
umount /var/lib/php/session restorecon -v -R /var/lib/php/
# LANG=C ls -laZ /var/lib/php/session total 8
drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May
7 04:39 .
mount /var/lib/php/session/
# LANG=C ls -laZ /var/lib/php/session total 4
drwxrwx—. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 Jul
26 17:19 .
The application does NOT have any problems to write to this directory.
Its “just” the audit/AVC denys that are the issues …
I’m not sure what triggers this remounts?
—
Leon
You don’t happen to have snapd installed, do you? I can see several bugs posted related to snapd and selinux failures similar to that.
—
Jonathan Billings
Am 26.07.20 um 17:23 schrieb Leon Fauster:
It seems related to namespaces of systemd execution environments, especially this setting:
$ grep -R PrivateD /usr/lib/systemd/system
/usr/lib/systemd/system/haveged.service:PrivateDevices=true
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-localed.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-hostnamed.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-coredump@.service:PrivateDevices=yes
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-resolved.service:PrivateDevices=yes
So I migrate the above mentioned (EL6 legacy) configuration to /run. More compliant with EL8 and no AVC logs anymore.
—
Leon