Am 26.07.20 um 17:23 schrieb Leon Fauster: > Am 26.07.20 um 12:23 schrieb Strahil Nikolov: > >> >> На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS >> <centos at centos.org> написа: >>> Hi all, >>> >>> I have some AVC in the logs and wonder how to resolve this: Under >>> EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs. >>> >>> >>> # tail -1 /etc/fstab >>> tmpfs /var/lib/php/session tmpfs >>> defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0" >>> >>> >>> 0 0 >>> >>> # df -a |grep php >>> tmpfs 16384 0 16384 0% /var/lib/php/session >>> >>> # ls -laZ /var/lib/php/session >>> insgesamt 0 >>> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24. >>> Jul 15:36 . >>> drwxr-xr-x. 6 root root system_u:object_r:httpd_var_lib_t:s0 68 7. >>> Jul 10:54 .. >>> >>> >>> the applications can read the session data without any problems. >>> >>> >>> >>> When I reboot the system following AVC appears: >>> >>> # last |grep ^re|head -3 >>> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 15:28 still running >>> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27 >>> (01:54) >>> reboot system boot 4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33 >>> (12:13) >>> >>> >>> # ausearch -m avc --start today >>> ---- >>> time->Fri Jul 24 01:20:08 2020 >>> type=AVC msg=audit(1595546408.754:28): avc: denied { remount } for >>> pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >>> permissive=0 >>> ---- >>> time->Fri Jul 24 13:34:04 2020 >>> type=AVC msg=audit(1595590444.080:29): avc: denied { remount } for >>> pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >>> permissive=0 >>> ---- >>> time->Fri Jul 24 15:28:40 2020 >>> type=AVC msg=audit(1595597320.783:28): avc: denied { remount } for >>> pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0 >>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem >>> permissive=0 >>> >>> >>> I wonder about the "remount" and the comm="ostnamed". >>> >>> I do not found any ostnamed application, the closest is hostnamed. >>> >>> Should the tmpfs be mounted differently (without fstab entry)? >>> >>> To get rid of the AVC I could add the corresponding policy >>> "allow init_t httpd_var_run_t:filesystem remount;" but is this >>> not a bit of overkill? >>> >>> Any hints about what the cause is? >>> >>> I'd really appreciate any ideas on this. >>> >> > > > > Hi Leon, > > > > have you tried mounting with 'httpd_sys_rw_content_t' instead of > 'httpd_var_run_t' ? > > > > > The latter is the standard selinux context. So I prefer to go with it. > > umount /var/lib/php/session > restorecon -v -R /var/lib/php/ > > # LANG=C ls -laZ /var/lib/php/session > total 8 > drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May > 7 04:39 . > > > mount /var/lib/php/session/ > # LANG=C ls -laZ /var/lib/php/session > total 4 > drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 Jul > 26 17:19 . > > > The application does NOT have any problems to write to this directory. > > Its "just" the audit/AVC denys that are the issues ... > > I'm not sure what triggers this remounts? > It seems related to namespaces of systemd execution environments, especially this setting: $ grep -R PrivateD /usr/lib/systemd/system /usr/lib/systemd/system/haveged.service:PrivateDevices=true /usr/lib/systemd/system/dbus-org.freedesktop.locale1.service:PrivateDevices=yes /usr/lib/systemd/system/systemd-localed.service:PrivateDevices=yes /usr/lib/systemd/system/systemd-hostnamed.service:PrivateDevices=yes /usr/lib/systemd/system/systemd-coredump at .service:PrivateDevices=yes /usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service:PrivateDevices=yes /usr/lib/systemd/system/systemd-resolved.service:PrivateDevices=yes So I migrate the above mentioned (EL6 legacy) configuration to /run. More compliant with EL8 and no AVC logs anymore. -- Leon