Archive | January, 2015

SELinux troubleshooter – too good to be true

30 Jan

Currently, I have the uphill task of trying to work with SELinux while reacquainting myself with the apparently simple task of setting a webserver up – in particular, nginx and php-fpm.

 

Of course, I encountered a whole host of permission errors that are common even without SELinux to begin with, but SELinux threw in an extra layer of permissions that I had to get around. While disabling SELinux is a common response, I had watched SELinux for Mere Mortals, and it pretty much inspired me not to take the easy path. Of course, I quit watching halfway in because of the terribad camera angle and ended up googling for other tutorials.

 

The basics of SELinux troubleshooter was that it could solve most common permission issues encountered, you mostly had to it installed first:

yum install setroubleshoot

and then run the checker AFTER you encounter the error (so it gets logged)

sealert -a /var/log/audit/audit.log

The suggested instructions that follow on screen (to fix the issue) together with the error messages should be pretty self-explanatory, but for my case in particular it boiled down to:

grep nginx /var/log/audit/audit.log | audit2allow -M mypol

and

grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol

And then to apply the generated policy:

semodule -i mypol.pp

 

 

 

However, the odd thing was that these 2 error messages didn’t appear together. If I “fixed” it for nginx, there would be an error for php-fpm later, and vice-versa.

Obviously some conflict between the two policies for both php-fpm and nginx, so hmm, how about if I draft a policy for both at the same time?

grep -E “nginx|php-fpm” /var/log/audit/audit.log | audit2allow -M mypol

was what I ended up with.

The odder thing that happened though, was that it didn’t work if I performed the commands after encountering the php-fpm error. It only did the commands came after encountering the nginx error.

Now looking at the generated mypol.te  files, I could see what was the contents of the policy being applied (which is actually in binary form, in mypol.pp).

The contents are as follows, the bolded parts are the different parts:

After php-fpm error, the non-working version:

module mypol 1.0;

require {
type httpd_t;
type vmblock_t;
class dir { search getattr };
class file { read getattr open };
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:dir { search getattr };
allow httpd_t vmblock_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:file { read getattr };

 

 

After nginx error, the working version:

module mypol 1.0;

require {
type httpd_t;
type vmblock_t;
class dir { search getattr };
class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t vmblock_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:dir getattr;
allow httpd_t vmblock_t:file getattr;

#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:file { read open };

 

 

 

Now, I have no idea what the differences really entail, or why the policies were generated differently; someday I may review it to better understand SELinux. For now however, it works and I have development work to be done on the now-functioning webserver!

Advertisements