Trying to Understand SELinux with a Redis Unix Socket and Nextcloud

Support for security such as Firewalls and securing linux
Post Reply
Smith_oo4
Posts: 1
Joined: 2021/09/04 13:48:35

Trying to Understand SELinux with a Redis Unix Socket and Nextcloud

Post by Smith_oo4 » 2021/09/11 17:38:35

I am trying to install Nextcloud on Centos Stream 8. This is mostly playing around, trying to learn about Centos/RHEL and I guess SELinux too.

I am trying to connect Nextcloud to Redis using a Unix socket, but SELinux is blocking this. I know SELinux is what is causing the problem because when I disable it (sudo setenforce 0) the issue goes away.

I have made the following changes to the Redis config file so it would just be a Unix socket and added the apache user to the redis group.

Code: Select all

port 0
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
OR

Code: Select all

sudo sed -i 's/port 6379/port 0/g' /etc/redis.conf
sudo sed -i 's/# unixsocket \/tmp\/redis.sock/unixsocket \/var\/run\/redis\/redis.sock/g' /etc/redis.conf
sudo sed -i 's/# unixsocketperm 700/unixsocketperm 770/g' /etc/redis.conf
sudo gpasswd -a apache redis
Doing some googling, I came across the following solution, which works:

Code: Select all

setsebool -P daemons_enable_cluster_mode 1
grep 'redis.sock' /var/log/audit/audit.log | audit2allow -M httpd-to-redis-socket
semodule -i httpd-to-redis-socket.pp
I get that the audit2allow command is taking something from the audit.log and turning it into SELinux rules. However, I am trying to understand what those rules are and how you would do this without using the audit2allow command. That is to be able to do a clean install without having it have to fail first, so there is something in the audit.log.

Below is the output of the audit.log:

Code: Select all

sudo grep 'redis.sock' /var/log/audit/audit.log

type=AVC msg=audit(1631378344.102:91): avc:  denied  { write } for  pid=971 comm="php-fpm" name="redis.sock" dev="tmpfs" ino=23011 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0
type=AVC msg=audit(1631378432.043:103): avc:  denied  { write } for  pid=972 comm="php-fpm" name="redis.sock" dev="tmpfs" ino=23011 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0
Here is the httpd-to-redis-socket.te:

Code: Select all

module httpd-to-redis-socket 1.0;

require {
        type httpd_t;
        type redis_var_run_t;
        class sock_file write;
}

#============= httpd_t ==============
allow httpd_t redis_var_run_t:sock_file write;
How would I turn this into SELinux commands, not using audit2allow? Or is there a better solution?

Thank you for your help

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Trying to Understand SELinux with a Redis Unix Socket and Nextcloud

Post by TrevorH » 2021/09/11 18:08:08

How would I turn this into SELinux commands, not using audit2allow? Or is there a better solution?
You don't. That already is the right way to do it. Assuming that you keep the same ports and file locations on other servers you can just copy the .pp file to the other machine and semodule -i it and have it work.

The first link in the list below is to our wiki and you can find similar instructions for generating a new policy file using grep -i avc /var/log/audit/audit.log | audit2allow -M my-policy in that. It also has instructions for turning the .te file into a .mod and then a .pp so you can amend the text .te file and rebuild it into a newer .pp to replace the old one.

Useful resources for SELinux: https://wiki.centos.org/HowTos/SELinux | https://wiki.centos.org/TipsAndTricks/SelinuxBooleans | https://docs.fedoraproject.org/en-US/Fe ... ced_Linux/ | https://www.youtube.com/watch?v=bQqX3RWn0Yw | https://opensource.com/business/13/11/s ... licy-guide | http://freecomputerbooks.com/The-SELinu ... tions.html
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply