installation: /usr/share/log Not writable

[lgcmorris]

---------Setup----------
Cent OS 8 Stream
Cacti 1.2.20-1.el8

I can confirmed that its SElinux issue because it was fixed when i turn off SE temporary to permissive mode. But I would like to have SEllinux in-placed for security reason. I'm new to SElinux, how do I configure it to have the correct permission?


Here I share the SE context
root@localhost cacti.admin]# ls -Z /usr/share/cacti/ | grep log
system_u:object_r:usr_t:s0 auth_login.php
system_u:object_r:usr_t:s0 clog.php
system_u:object_r:usr_t:s0 clog_user.php
system_u:object_r:usr_t:s0 log
system_u:object_r:usr_t:s0 logout.php

[root@localhost cacti.admin]# matchpathcon -V /usr/share/cacti/log/
/usr/share/cacti/log verified.

UID for the PS
cacti.a+ 43330 2349 21 14:40 tty2 00:00:08 /usr/lib64/firefox/firefox
cacti.a+ 43547 43330 1 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 7
cacti.a+ 43575 43330 1 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 5
cacti.a+ 43694 43330 4 14:40 tty2 00:00:01 /usr/lib64/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 6
cacti.a+ 43736 43330 0 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 6

[TheWitness]

Just read the messages going into /var/log/messages. There is a utility called audit2allow that you literally simply have to follow your nose via it's use. Basically, you put SELinux in Permissive mode, watch the log and create a series of policies that cover activities in Cacti that are permissible, and then when you think you've got them all, you can goto Restrictive. Others over the years have created policy files, but they are all path dependent, and Debian and variants do things differently than say RHEL and variants. There are even differences between using Apache and NGinx. Good luck.

[lgcmorris]

Output from the command. UID: is apache

[root@sgmkbccti01p cactiadmin]# ausearch -m AVC,USER_AVC -ts recent
----
time->Thu May 26 14:02:41 2022
type=PROCTITLE msg=audit(1653544961.302:243): proctitle=7068702D66706D3A20706F6F6C20777777
type=SYSCALL msg=audit(1653544961.302:243): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc02a5b320 a2=241 a3=1b6 items=0 ppid=3597 pid=3607 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1653544961.302:243): avc: denied { write } for pid=3607 comm="php-fpm" path="/var/log/cacti/769162589628f18014a0dc.tmp" dev="dm-0" ino=27280838 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0

Now can confirmed its denied write but I don't know what's the correct context for this. Need help.

[lgcmorris]

I followed this and it worked.

type=AVC msg=audit(1653544968.525:248): avc: denied { write } for pid=3605 comm="php-fpm" path="/var/log/cacti/647359037628f18088066d.tmp" dev="dm-0" ino=26643319 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


[root@sgmkbccti01p cactiadmin]# sealert -l 324854ce-98bb-45f4-ba3f-321879feef95
SELinux is preventing /usr/sbin/php-fpm from write access on the file /var/log/cacti/647359037628f18088066d.tmp.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that php-fpm should be allowed write access on the 647359037628f18088066d.tmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp


root@sgmkbccti01p cactiadmin]# audit2allow -a
#============= httpd_t ==============
allow httpd_t configfs_t:dir getattr;
allow httpd_t httpd_log_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_log_t:file write; #This allowed the file type httpd_log_t to write

[TheWitness]

Glad you figured it out. If we were not such a fledgling group, we would publish a rule set for SELinux for the various installs and OS variations, but sadly, not enough time. It's mostly a hobby for some of us, and for others, something we do at work and get worn out on if we spend too many hours at it.