[CentOS] tmpfs / selinux issue

Sun Jul 26 15:23:23 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 26.07.20 um 12:23 schrieb Strahil Nikolov:

> 
> На 25 юли 2020 г. 14:20:19 GMT+03:00, Leon Fauster via CentOS <centos at centos.org> написа:
>> Hi all,
>>
>> I have some AVC in the logs and wonder how to resolve this: Under
>> EL8 (enforcing SElinux) I have /var/lib/php/session mounted as tmpfs.
>>
>>
>> # tail -1 /etc/fstab
>> tmpfs  /var/lib/php/session  tmpfs
>> defaults,noatime,mode=770,gid=apache,size=16777216,context="system_u:object_r:httpd_var_run_t:s0"
>>
>>   0 0
>>
>> # df -a |grep php
>> tmpfs              16384       0     16384    0% /var/lib/php/session
>>
>> # ls -laZ /var/lib/php/session
>> insgesamt 0
>> drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 40 24.
>> Jul 15:36 .
>> drwxr-xr-x. 6 root root   system_u:object_r:httpd_var_lib_t:s0 68  7.
>> Jul 10:54 ..
>>
>>
>> the applications can read the session data without any problems.
>>
>>
>>
>> When I reboot the system following AVC appears:
>>
>> # last |grep ^re|head -3
>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 15:28   still running
>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 13:33 - 15:27
>> (01:54)
>> reboot   system boot  4.18.0-193.6.3.e Fri Jul 24 01:20 - 13:33
>> (12:13)
>>
>>
>> # ausearch -m avc --start today
>> ----
>> time->Fri Jul 24 01:20:08 2020
>> type=AVC msg=audit(1595546408.754:28): avc:  denied  { remount } for
>> pid=952 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>> permissive=0
>> ----
>> time->Fri Jul 24 13:34:04 2020
>> type=AVC msg=audit(1595590444.080:29): avc:  denied  { remount } for
>> pid=1020 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>> permissive=0
>> ----
>> time->Fri Jul 24 15:28:40 2020
>> type=AVC msg=audit(1595597320.783:28): avc:  denied  { remount } for
>> pid=934 comm="(ostnamed)" scontext=system_u:system_r:init_t:s0
>> tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=filesystem
>> permissive=0
>>
>>
>> I wonder about the "remount" and the comm="ostnamed".
>>
>> I do not found any ostnamed application, the closest is hostnamed.
>>
>> Should the tmpfs be mounted differently (without fstab entry)?
>>
>> To get rid of the AVC I could add the corresponding policy
>> "allow init_t httpd_var_run_t:filesystem remount;" but is this
>> not a bit of overkill?
>>
>> Any hints about what the cause is?
>>
>> I'd really appreciate any ideas on this.
>>
>
 >
 > Hi  Leon,
 >
 > have you tried mounting with 'httpd_sys_rw_content_t'  instead  of 
'httpd_var_run_t' ?
 >


The latter is the standard selinux context. So I prefer to go with it.

umount /var/lib/php/session
restorecon -v -R /var/lib/php/

# LANG=C ls -laZ  /var/lib/php/session
total 8
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0 4096 May 
7 04:39 .


mount /var/lib/php/session/
# LANG=C ls -laZ  /var/lib/php/session
total 4
drwxrwx---. 2 root apache system_u:object_r:httpd_var_run_t:s0   40 Jul 
26 17:19 .


The application does NOT have any problems to write to this directory.

Its "just" the audit/AVC denys that are the issues ...

I'm not sure what triggers this remounts?

--
Leon