英文:
RHEL - SELinux access control errors
问题
I have a problem with SElinux privileges with Docker, in Docker I run Mailcow, but now I have a blank screen, and it looks like it might be a problem with privileges.
Because the diagnostic says this:
SELinux is preventing /usr/local/bin/php from read access to the file /web/inc/init_db.inc.php.
Audit log:
type=AVC msg=audit(1676319004.771:1087): avc: denied { read } for pid=14555 comm="php-fpm" name="init_db.inc.php" dev="dm-0" ino=135058961 scontext=system_u:system_r:container_t:s0:c706,c972 tcontext=system_u:object_r:container_file_t:s0:c89,c575 tclass=file permissive=0
type=SYSCALL msg=audit(1676319004.771:1087): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc4e15850 a1=8000 a2=0 a3=0 items=1 ppid=6637 pid=14555 auid=4294967295 uid=82 gid=82 euid=82 suid=82 fsuid=82 egid=82 sgid=82 fsgid=82 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/local/sbin/php-fpm" subj=system_u:system_r:container_t:s0:c706,c972 key=(null)
type=CWD msg=audit(1676319004.771:1087): cwd="/web"
type=PATH msg=audit(1676319004.771:1087): item=0 name="/web/inc/init_db.inc.php" inode=135058961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_file_t:s0:c89,c575 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
How can I solve it?
This is what I tried:
ausearch -c 'php' --raw | audit2allow -M my-php
semodule -X 300 -i my-php.pp
And the results are:
compilation failed:
my-php.te:15: ERROR 'syntax error' at token 'mlsconstrain' on line 15:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
[root@rhel ~]# semodule -X 300 -i my-php.pp
libsemanage.map_compressed_file: Unable to open my-php.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-php.pp
(No such file or directory).
semodule: Failed on my-php.pp!
英文:
I have problem with SElinux privilages with docker, in docker i run mailcow but now i have a blank screen and looks like it might be problem with privilages.
Because diagnostic says this:
SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php.
Audit log:
type=AVC msg=audit(1676319004.771:1087): avc: denied { read } for pid=14555 comm="php-fpm" name="init_db.inc.php" dev="dm-0" ino=135058961 scontext=system_u:system_r:container_t:s0:c706,c972 tcontext=system_u:object_r:container_file_t:s0:c89,c575 tclass=file permissive=0
type=SYSCALL msg=audit(1676319004.771:1087): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc4e15850 a1=8000 a2=0 a3=0 items=1 ppid=6637 pid=14555 auid=4294967295 uid=82 gid=82 euid=82 suid=82 fsuid=82 egid=82 sgid=82 fsgid=82 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/local/sbin/php-fpm" subj=system_u:system_r:container_t:s0:c706,c972 key=(null)
type=CWD msg=audit(1676319004.771:1087): cwd="/web"
type=PATH msg=audit(1676319004.771:1087): item=0 name="/web/inc/init_db.inc.php" inode=135058961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_file_t:s0:c89,c575 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
how can i solved it?
This is what i tried:
ausearch -c 'php' --raw | audit2allow -M my-php
semodule -X 300 -i my-php.pp
and results are:
compilation failed:
my-php.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 15:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
[root@rhel ~]# semodule -X 300 -i my-php.pp
libsemanage.map_compressed_file: Unable to open my-php.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-php.pp
(No such file or directory).
semodule: Failed on my-php.pp!
答案1
得分: 0
更新在启用SELinux等高安全环境中容易引发问题。我在Centos Stream 9(RHEL上游版本)上安装Mailcow时遇到了完全相同的问题。
这是因为SELinux阻止一个Docker容器内的php脚本执行MariaDB容器中的操作,据我了解,这个操作仅在更新到特定版本后才会发生。为了解决SELinux约束违规问题,而不永久禁用SELinux,我将其设置为仅在临时模式下执行更新,然后将其重新设置为强制模式。基本上,作为root用户(或使用sudo),我执行了以下命令:
setenforce 0
./update.sh
setenforce 1
update.sh脚本通常位于/opt/mailcow-dockerized目录中。 (/opt/mailcow-dockerized/update.sh)
注意: 我知道这不是理想的解决方案,理想情况下是在SELinux仍处于强制模式时运行更新脚本,但这个解决方案对我来说足够安全,对大多数安装也是如此。
英文:
Updates have a habit of breaking things in high-security environments such as those with SELinux enabled. The same exact problem happened with me with my Mailcow installation under Centos Stream 9 (RHEL upstream).
This is happening because SELinux is blocking a php script within one docker container to perform an operation in the MariaDB container, as far as I can tell. This operation happens only once after the update to a specific version. What I did to solve the SELinux constraint violation without permanently disabling SELinux is to set it as permissive only temporarily, performing the update, then setting it back to enforcing mode. Basically, as the root user (or sudo), I executed the following commands:
setenforce 0
./update.sh
setenforce 1
The update.sh script is in mailcow-dockerized directory, usually in /opt. (/opt/mailcow-dockerized/update.sh)
Note: I know this is not the ideal solution, and the ideal is to have the update script running while SELinux is still in enforcing mode, but this solution is secure enough for me and probably most installations out there.
答案2
得分: 0
同样的问题在RHEL 9.1中启用SELinux时出现。
还安装了mailcow的docker,但我尝试了这些命令对我没有帮助。
我做错了什么吗?在终端中以root用户登录:
cd /opt/mailcow-dockerized/
setenforce 0
./update.sh
setenforce 1
但仍然遇到问题:
SELinux正在阻止/usr/local/bin/php读取文件/web/inc/init_db.inc.php。
好的,经过30分钟,解决方案起作用了,但我还有管理员页面空白的问题,所以为了修复两者,我做了这个:
nano /opt/mailcow-dockerized/data/Dockerfiles/phpfpm/docker-entrypoint.sh
在文件底部添加了以下内容:
> mkdir data/web/templates/cache
所以它看起来像这样:
# 修复twig缓存文件夹的权限
mkdir data/web/templates/cache
chown -R 82:82 /web/templates/cache
# 清除缓存
find /web/templates/cache/* -not -name '.gitkeep' -delete
退出nano并保存,然后:
cd /opt/mailcow-dockerized/
setenforce 0
./update.sh
# 在更新过程中,我对一切都说“是”
# 完成更新后,执行:
docker system prune
# 然后当它完成时:
setenforce 1
reboot
英文:
Same issue inside RHEL 9.1 with SELinux enable.
Also installed docker with mailcow but i tried these commands and didnt help to me.
did i do something wrong ? inside terminal login as root user:
cd /opt/mailcow-dockerized/
setenforce 0
./update.sh
setenforce 1
but still encoutered problem:
SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php.
Okay after 30min, the solution helped but i have also problem with admin blank page so to fix both i did this:
nano /opt/mailcow-dockerized/data/Dockerfiles/phpfpm/docker-entrypoint.sh
Inside of file at the bottom i add:
> mkdir data/web/templates/cache
so it looks like this:
# Fix permissions on twig cache folder
mkdir data/web/templates/cache
chown -R 82:82 /web/templates/cache
# Clear cache
find /web/templates/cache/* -not -name '.gitkeep' -delete
exit nano and save
then:
cd /opt/mailcow-dockerized/
setenforce 0
./update.sh
#inside update proceeding i said yes to everything
#also after finishing update i make:
docker system prune
#then when its done:
setenforce 1
reboot
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论