SELINUX, labels

[kennethgillen]

Upon using the ansible-role-omero-web on a RHEL system with SELINUX set to enforcing, the static files served up by NGINX are not loading after a fresh installation, or an upgrade of an existing running server.

Note: in the case of the output here, this was already done for the existing server at first deployment, and these steps were re-ran for an upgrade to the existing server.

[root@pub-omero ~]# audit2why < /var/log/audit/audit.log shows:

type=AVC msg=audit(1522679845.947:375427): avc:  denied  { read } for  pid=20627 comm="nginx" name="OMERO.web" dev="dm-7" ino=726 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_
t:s0 tclass=lnk_file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

after creating an audit2allow rule as it suggests, the following is generated:

[root@ ~]# audit2allow < /var/log/audit/audit.log


#============= abrt_t ==============
allow abrt_t inetd_child_t:dbus send_msg;

#============= httpd_t ==============

#!!!! WARNING: 'unlabeled_t' is a base type.
#!!!! The file '/opt/omero/web/OMERO.web' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /opt/omero/web/OMERO.web
allow httpd_t unlabeled_t:lnk_file read;

After running restorecon -R -v /opt/omero/web/OMERO.web, the statics are happily served without a restart of NGINX.

[joshmoore]

Just ran into this again on pub-omero.

[sbesson]

#19 contains a proposal to address this issue with a conditional included playbook executing the command above for SELinux-hardened systems.