[CentOS] tmpfs / selinux issue

Sun Jul 26 10:23:37 UTC 2020
Strahil Nikolov <hunter86_bg at yahoo.com>

Hi  Leon,

have you tried mounting with 'httpd_sys_rw_content_t'  instead  of  'httpd_var_run_t' ?

Best Regards,
Strahil Nikolov

На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS <centos at centos.org> написа:
>Hi all,
>
>I have some AVC in the logs and wonder how to resolve this: Under
>EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
>
>
># tail -1 /etc/fstab
>tmpfs  /var/lib/php/session  tmpfs 
>defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0"
>
>  0 0
>
># df -a |grep php
>tmpfs              16384       0     16384    0% /var/lib/php/session
>
># ls -laZ /var/lib/php/session
>insgesamt 0
>drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. 
>Jul 15:36 .
>drwxr-xr-x. 6 root root   system_u:object_r:httpd_var_lib_t:s0 68  7. 
>Jul 10:54 ..
>
>
>the applications can read the session data without any problems.
>
>
>
>When I reboot the system following AVC appears:
>
># last |grep ^re|head -3
>reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 15:28   still running
>reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 
>(01:54)
>reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 
>(12:13)
>
>
># ausearch -m avc --start today
>----
>time->Fri Jul 24 01:20:08 2020
>type=AVC msg=audit(1595546408.754:28): avc:  denied  { remount } for 
>pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 
>tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>permissive=0
>----
>time->Fri Jul 24 13:34:04 2020
>type=AVC msg=audit(1595590444.080:29): avc:  denied  { remount } for 
>pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 
>tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>permissive=0
>----
>time->Fri Jul 24 15:28:40 2020
>type=AVC msg=audit(1595597320.783:28): avc:  denied  { remount } for 
>pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 
>tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>permissive=0
>
>
>I wonder about the "remount" and the comm="ostnamed".
>
>I do not found any ostnamed application, the closest is hostnamed.
>
>Should the tmpfs be mounted differently (without fstab entry)?
>
>To get rid of the AVC I could add the corresponding policy
>"allow init_t httpd_var_run_t:filesystem remount;" but is this
>not a bit of overkill?
>
>Any hints about what the cause is?
>
>I'd really appreciate any ideas on this.
>
>--
>Leon
>
>
>
>
>
>
>
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>https://lists.centos.org/mailman/listinfo/centos