[CentOS] tmpfs / selinux issue

Tue Jul 28 20:48:23 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 26.07.20 um 17:23 schrieb Leon Fauster:
> Am 26.07.20 um 12:23 schrieb Strahil Nikolov:
> 
>>
>> На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS 
>> <centos at centos.org> написа:
>>> Hi all,
>>>
>>> I have some AVC in the logs and wonder how to resolve this: Under
>>> EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
>>>
>>>
>>> # tail -1 /etc/fstab
>>> tmpfs  /var/lib/php/session  tmpfs
>>> defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" 
>>>
>>>
>>>   0 0
>>>
>>> # df -a |grep php
>>> tmpfs              16384       0     16384    0% /var/lib/php/session
>>>
>>> # ls -laZ /var/lib/php/session
>>> insgesamt 0
>>> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24.
>>> Jul 15:36 .
>>> drwxr-xr-x. 6 root root   system_u:object_r:httpd_var_lib_t:s0 68  7.
>>> Jul 10:54 ..
>>>
>>>
>>> the applications can read the session data without any problems.
>>>
>>>
>>>
>>> When I reboot the system following AVC appears:
>>>
>>> # last |grep ^re|head -3
>>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 15:28   still running
>>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27
>>> (01:54)
>>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33
>>> (12:13)
>>>
>>>
>>> # ausearch -m avc --start today
>>> ----
>>> time->Fri Jul 24 01:20:08 2020
>>> type=AVC msg=audit(1595546408.754:28): avc:  denied  { remount } for
>>> pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>>> permissive=0
>>> ----
>>> time->Fri Jul 24 13:34:04 2020
>>> type=AVC msg=audit(1595590444.080:29): avc:  denied  { remount } for
>>> pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>>> permissive=0
>>> ----
>>> time->Fri Jul 24 15:28:40 2020
>>> type=AVC msg=audit(1595597320.783:28): avc:  denied  { remount } for
>>> pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>>> permissive=0
>>>
>>>
>>> I wonder about the "remount" and the comm="ostnamed".
>>>
>>> I do not found any ostnamed application, the closest is hostnamed.
>>>
>>> Should the tmpfs be mounted differently (without fstab entry)?
>>>
>>> To get rid of the AVC I could add the corresponding policy
>>> "allow init_t httpd_var_run_t:filesystem remount;" but is this
>>> not a bit of overkill?
>>>
>>> Any hints about what the cause is?
>>>
>>> I'd really appreciate any ideas on this.
>>>
>>
>  >
>  > Hi  Leon,
>  >
>  > have you tried mounting with 'httpd_sys_rw_content_t'  instead  of 
> 'httpd_var_run_t' ?
>  >
> 
> 
> The latter is the standard selinux context. So I prefer to go with it.
> 
> umount /var/lib/php/session
> restorecon -v -R /var/lib/php/
> 
> # LANG=C ls -laZ  /var/lib/php/session
> total 8
> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May 
> 7 04:39 .
> 
> 
> mount /var/lib/php/session/
> # LANG=C ls -laZ  /var/lib/php/session
> total 4
> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0   40 Jul 
> 26 17:19 .
> 
> 
> The application does NOT have any problems to write to this directory.
> 
> Its "just" the audit/AVC denys that are the issues ...
> 
> I'm not sure what triggers this remounts?
> 


It seems related to namespaces of systemd execution environments,
especially this setting:

$ grep -R  PrivateD /usr/lib/systemd/system
/usr/lib/systemd/system/haveged.service:PrivateDevices=true
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-localed.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-hostnamed.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-coredump at .service:PrivateDevices=yes
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:PrivateDevices=yes
/usr/lib/systemd/system/systemd-resolved.service:PrivateDevices=yes


So I migrate the above mentioned (EL6 legacy) configuration to /run.
More compliant with EL8 and no AVC logs anymore.

--
Leon