SELinux and CometChat

On a CentOS 7 server, I noticed that setroubleshootd seemed to be using an inordinate percentage of the CPU's time when I ran the top command.

top - 18:39:29 up 219 days,  3:26, 25 users,  load average: 1.10, 0.84, 0.90
Tasks: 307 total,   2 running, 305 sleeping,   0 stopped,   0 zombie
%Cpu(s): 82.7 us, 17.2 sy,  0.0 ni,  0.2 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  1875896 total,   131120 free,   547016 used,  1197760 buff/cache
KiB Swap:  2113532 total,  1062976 free,  1050556 used.   907248 avail Mem
 Unknown command - try 'h' for help
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
28081 root      20   0  277012  56836   9252 R  96.1  3.0   0:06.34 setroubles+
28006 jdoe      20   0  146260   2136   1360 R   2.3  0.1   0:01.09 top
 5694 ann       20   0   25876   2288    968 S   1.6  0.1  26:26.01 netmesh
   13 root      20   0       0      0      0 S   0.7  0.0 567:58.16 rcu_sched
  729 dbus      20   0   72724   3236    716 S   0.7  0.2 184:40.56 dbus-daemon
26447 jdoe      20   0  147208   2208    920 S   0.7  0.1   0:00.76 sshd
32091 mysql     20   0 1366968  40908   5320 S   0.7  2.2  65:39.21 mysqld
   14 root      20   0       0      0      0 S   0.3  0.0 222:46.07 rcuos/0
   15 root      20   0       0      0      0 S   0.3  0.0 191:33.18 rcuos/1
  705 root      20   0   19152    308    228 S   0.3  0.0  47:05.58 irqbalance
 2795 root      20   0  257536   1184    760 S   0.3  0.1  11:46.69 upowerd
32066 polkitd   20   0  517960   1652    972 S   0.3  0.1   6:29.26 polkitd
    1 root      20   0  194888   8096   2808 S   0.0  0.4 134:51.15 systemd
    2 root      20   0       0      0      0 S   0.0  0.0   1:11.66 kthreadd
    3 root      20   0       0      0      0 S   0.0  0.0   2:47.23 ksoftirqd/0
    5 root       0 -20       0      0      0 S   0.0  0.0   0:00.00 kworker/0:+
    7 root      rt   0       0      0      0 S   0.0  0.0   6:14.49 migration/0

When I used the ausearch command to query the audit daemon logs for entries that might have been created by setroubleshootd, I saw the following:

# ausearch -m avc | tail

----
time->Sat Apr 16 18:00:05 2016
type=SYSCALL msg=audit(1460844005.621:12701188): arch=c000003e syscall=2 success
=yes exit=28 a0=7f7781159d58 a1=80000 a2=1b6 a3=632f656863696e72 items=0 ppid=24
450 pid=18144 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgi
d=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=
system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1460844005.621:12701188): avc:  denied  { open } for  pid=181
44 comm="httpd" path="/home/ann/public_html/ourplace/cometchat/.htaccess" dev="d
m-4" ino=22805345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object
_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1460844005.621:12701188): avc:  denied  { read } for  pid=181
44 comm="httpd" name=".htaccess" dev="dm-4" ino=22805345 scontext=system_u:syste
m_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

One of the websites on the server uses CometChat with Simple Machines Forum (SMF) to provide an online chat feature for users of the site's forum. The referenced .htaccess file resides under the cometchat directory beneath the user's forum software directory. The server runs Security-Enhanced Linux (SELinux), though in "permissive" mode, which is why setroubleshootd was running and those audit log entries were created.

I also checked the /var/log/messages file and saw entries like the following ones:

# grep cometchat /var/log/messages | tail
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h
taccess'
restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'
Apr 16 18:00:41 greendragon setroubleshoot: failed to retrieve rpm info for /hom
e/ann/public_html/ourplace/cometchat/.htaccess
Apr 16 18:00:43 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http
d from read access on the file /home/ann/public_html/ourplace/cometchat/.htacces
s. For complete SELinux messages. run sealert -l 4665f463-f450-488c-8ca0-52f6e83
e6b05
Apr 16 18:00:43 greendragon python: SELinux is preventing /usr/sbin/httpd from r
ead access on the file /home/ann/public_html/ourplace/cometchat/.htaccess.
/home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd
_user_htaccess_t.
# /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess
Then you need to change the label on /home/ann/public_html/ourplace/cometchat/.h
taccess
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h
taccess'
restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'
#

The message "setroubleshoot: failed to retrieve rpm info for" is just an informational mesage from setroubleshoot indicating that the file it is referencing didn't come from an RPM package. However, for the message below, there is a reference to a means to obtain further information on the issue logged regarding the cometchat/.htaccess file:

Apr 16 18:00:43 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http
d from read access on the file /home/ann/public_html/ourplace/cometchat/.htacces
s. For complete SELinux messages. run sealert -l 4665f463-f450-488c-8ca0-52f6e83
e6b05

I checked on the number of references in /var/log/messages to the cometchat/.htaccess file and found there were tens of thousands of entries related to the file:

# grep --count 'cometchat/.htaccess' /var/log/messages
32113

When I checked the first entry in the log file, I found that it was logged about five days ago:

# head -1 /var/log/messages
Apr 11 03:40:09 greendragon dbus[729]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper

So in less that a week, over thirty-two thousand such entries were logged.

I ran sealert -l with the alert number specified in reference to the cometchat/.htaccess file:

Generic Category (English)120x600
# sealert -l 4665f463-f450-488c-8ca0-52f6e83e6b05
SELinux is preventing /usr/sbin/httpd from read access on the file /home/ann/pub
lic_html/ourplace/cometchat/.htaccess.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label.
/home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd
_user_htaccess_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow httpd to have read access on the .htaccess file
Then you need to change the label on /home/ann/public_html/ourplace/cometchat/.h
taccess
Do
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h
taccess'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_t
mp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, 
abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_ret
race_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_
var_run_t, accountsd_exec_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec
_t, afs_cache_t, aide_exec_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_rec
over_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antiviru
s_exec_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcups
d_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd
<text snipped>
Then execute:
restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that httpd should be allowed read access on the .htaccess file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /home/ann/public_html/ourplace/cometchat/.htaccess
                              [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.4.6-31.el7.centos.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-23.el7_1.8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     greendragon
Platform                      Linux greendragon 3.10.0-229.7.2.el7.x86_64 #1 SMP
                              Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64
Alert Count                   141
First Seen                    2016-04-16 02:31:06 EDT
Last Seen                     2016-04-16 18:10:05 EDT
Local ID                      4665f463-f450-488c-8ca0-52f6e83e6b05

Raw Audit Messages
type=AVC msg=audit(1460844605.85:12701374): avc:  denied  { read } for
pid=22642 comm="httpd" name=".htaccess" dev="dm-4" ino=22805345
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=file


type=AVC msg=audit(1460844605.85:12701374): avc:  denied  { open } for
pid=22642 comm="httpd" path="/home/ann/public_html/ourplace/cometchat/.htaccess"
dev="dm-4" ino=22805345 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file


type=SYSCALL msg=audit(1460844605.85:12701374): arch=x86_64 syscall=open
success=yes exit=ENOSPC a0=7f77810b46b8 a1=80000 a2=1b6 a3=632f656863696e72
items=0 ppid=24450 pid=22642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd
exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,unlabeled_t,file,read

#

I checked the security context of the referenced file with ls -Z:

# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess
-rw-rw-r--. ann apache system_u:object_r:unlabeled_t:s0 /home/ann/public_html/ourplace/cometchat/.htaccess

The suggested fix for the problem in the log entries was to run the following commands;

# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.htaccess'
restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'

Files and directories that are accessible to the Apache web server software that are under /var/www have an SELinux context of httpd_sys_content_t as can be seen when I checked /var/www/html and the /var/www/html/index.html file within it on the same system.

# ls -Z /var/www/html/index.html
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html
# ls -dZ /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html
#

So that is the SELinux context I specified for FILE_TYPE when I ran the semanage command. You can get help information for the fcontext argument to semanage by issuing the command semanage fcontext --help

# semanage fcontext --help
usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r
 RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f FTYPE | -e EQU
AL ) FILE_SPEC ) | --deleteall  | --extract  | --list -C | --modify ( -t TYPE -f
 FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) ]

positional arguments:
  file_spec             file_spec

optional arguments:
  -h, --help            show this help message and exit
  -C, --locallist       List fcontext local customizations
  -n, --noheading       Do not print heading when listing fcontext object
                        types
  -N, --noreload        Do not reload policy after commit
  -S STORE, --store STORE
                        Select an alternate SELinux Policy Store to manage
  -a, --add             Add a record of the fcontext object type
  -d, --delete          Delete a record of the fcontext object type
  -m, --modify          Modify a record of the fcontext object type
  -l, --list            List records of the fcontext object type
  -E, --extract         Extract customizable commands, for use within a
                        transaction
  -D, --deleteall       Remove all fcontext objects local customizations
  -e EQUAL, --equal EQUAL
                        Substitute target path with sourcepath when generating
                        default label. This is used with fcontext. Requires
                        source and target path arguments. The context labeling
                        for the target subtree is made equivalent to that
                        defined for the source.
  -f {a,f,d,c,b,s,l,p}, --ftype {a,f,d,c,b,s,l,p}
                        File Type. This is used with fcontext. Requires a file
                        type as shown in the mode field by ls, e.g. use -d to
                        match only directories or -- to match only regular
                        files. The following file type options can be passed:
                        -- (regular file),-d (directory),-c (character
                        device), -b (block device),-s (socket),-l (symbolic
                        link),-p (named pipe) If you do not specify a file
                        type, the file type will default to "all files".
  -s SEUSER, --seuser SEUSER
                        SELinux user name
  -t TYPE, --type TYPE  SELinux Type for the object
  -r RANGE, --range RANGE
                        MLS/MCS Security Range (MLS/MCS Systems only) SELinux
                        Range for SELinux login mapping defaults to the
                        SELinux user record range.

To add the context to the .htaccess file, I included the -a option and use -t to specify the SELinux type.

# semanage fcontext -a -t httpd_sys_content_t /home/ann/public_html/ourplace/cometchat/.htaccess
#

To apply the change I needed to run the restorecon command; you can see below that the context shown by ls -Z didn't change until after I ran the restorecon command.

# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess
-rw-rw-r--. ann apache system_u:object_r:unlabeled_t:s0 /home/ann/public_html/ou
rniche/cometchat/.htaccess
# restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess
restorecon reset /home/ann/public_html/ourplace/cometchat/.htaccess context syst
em_u:object_r:unlabeled_t:s0->system_u:object_r:httpd_sys_content_t:s0
# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess
-rw-rw-r--. ann apache system_u:object_r:httpd_sys_content_t:s0 /home/ann/public
_html/ourplace/cometchat/.htaccess
#

However, after I set that SELinux context, I noticed that one of the log messages had recommended a different content type:

Apr 16 18:00:43 greendragon python: SELinux is preventing /usr/sbin/httpd from r
ead access on the file /home/ann/public_html/ourplace/cometchat/.htaccess.
/home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd
_user_htaccess_t.

But I also found that the SELinux Cookbook by Sven Vermeulen mentioned "httpd_user_htaccess_t for the .htaccess files: so I deleted the context I had previously set for the file using the -d option for semanage.

# semanage fcontext -d /home/ann/public_html/ourplace/cometchat/.htaccess

Then I changed changed the context to be that, instead.

# semanage fcontext -a -t httpd_user_htaccess_t /home/ann/public_html/ourplace/c
ometchat/.htaccess
# restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess
restorecon reset /home/ann/public_html/ourplace/cometchat/.htaccess context syst
em_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_user_htaccess_t:s0
# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess
-rw-rw-r--. ann apache system_u:object_r:httpd_user_htaccess_t:s0 /home/ann/publ
ic_html/ourplace/cometchat/.htaccess

After I made the above change, no further references to the cometchat/.htaccess file appeared in /var/log/messages. I did later observe that there were a lot of other cometchat-related entries in /var/log/messages, though.

oreilly.com - Your tech ebook super store
# grep cometchat /var/log/messages | wc -l
27587
# grep cometchat /var/log/messages | tail
If you believe that httpd should be allowed read access on the cometchat_receive
.php file by default.
Apr 19 22:17:46 greendragon setroubleshoot: failed to retrieve rpm info for /hom
e/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php
Apr 19 22:17:51 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http
d from getattr access on the file /home/ann/public_html/ourplace/cometchat/modul
es/chatrooms/chatrooms.php. For complete SELinux messages. run sealert -l b995a2
26-102c-402d-a284-3ba052067998
Apr 19 22:17:51 greendragon python: SELinux is preventing /usr/sbin/httpd from g
etattr access on the file /home/ann/public_html/ourplace/cometchat/modules/chatr
ooms/chatrooms.php.
/home/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php default
 label should be httpd_user_content_t.
# /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/modules/chatrooms
/chatrooms.php
Then you need to change the label on /home/ann/public_html/ourplace/cometchat/mo
dules/chatrooms/chatrooms.php
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/mo
dules/chatrooms/chatrooms.php'
restorecon -v '/home/ann/public_html/ourplace/cometchat/modules/chatrooms/chatro
oms.php'
Apr 19 22:17:54 greendragon setroubleshoot: failed to retrieve rpm info for /hom
e/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php

So I changed the context for all files in the cometchat directory.

# semanage fcontext -a -t httpd_user_content_t "/home/ann/public_html/ourplace/cometchat(/.*)?"
# restorecon -R /home/ann/public_html/ourplace/cometchat

The -a option to semanage indicates it should add a new record and the -t htpd_user_content_t specifies the type. The regular expression at the end of the command, (/.*)? causes semanage to apply the change to the cometchat directory as well as all the files within it. The -R option to the restorecon command instructs it to apply the change recursively, so it is applied to all subdirectories as well.

After I applied that change, the context of the .htaccess file in the cometchat directory had the prior context replaced with the one applied to all files in the cometchat directory.

# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess
-rw-rw-r--. ann apache system_u:object_r:httpd_user_htaccess_t:s0 /home/ann/public_html/ourplace/cometchat/.htaccess

Applying the context to all files in the cometchat directory and its subdirectories stopped further entries from appearing in /var/log/messages related to cometchat.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px