SELinux and OwnCloud

Support for security such as Firewalls and securing linux
Post Reply
MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

SELinux and OwnCloud

Post by MartinR » 2020/07/03 09:32:12

I'm running a small home network since retirement. One server with a few VMs running C7, another C7 workstation, a couple of Win10 PCs and a clutch of tablets, phones and Pis. In the C8 VM I've been trying to always comply with SELinux's rules, rather than just switching them to permissive as normal. I've also been trying to use cockpit rather than VMM (not bad, but needs some work on running up consoles and VM creation). The aim is to migrate all services to the C8 VM prior to considering a host machine upgrade.

When the OwnCloud server starts on the C8 machine it just hangs. It won't accept incomming connections from either the app or a browser interface. No errors are reported by SELinux. As soon as SELinux is put into permissive mode (via cockpit) OwnCloud starts function properly. There are still no SELinux messages produced. The audit log isn't helpfull, the summary is below. Also below is a timeline. There were no errors in messages.

After a few days of this I've switched SELinux to permissive on startup, and OwnCloud runs at once. If I now switch SELinux on OwnCloud hangs (white screen, no activity). As soon as I switch it back to permissive OwnCloud works, and yet Cockpit reports no SELinux alerts.

Code: Select all

# cat /etc/centos-release
CentOS Linux release 8.2.2004 (Core) 
# uname -a
Linux <hostname> 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# sudo -u apache ./occ -V
ownCloud 10.4.1
Last update was 2/6/20.

Timeline
  • 11:45 su-ed in from the host.
  • 11:50:00 switched to permissive via cockpit
  • 11:51:30 switch focus to OwnCloud
  • 11:52:00 press F5, connection now successful.

Code: Select all

# aureport -if 2020-06-26_11-50.log 

Summary Report
======================
Range of time in logs: 26/06/20 11:45:00.064 - 26/06/20 11:53:00.059
Selected time for report: 26/06/20 11:45:00 - 26/06/20 11:53:00.059
Number of changes in configuration: 1
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 3
Number of terminals: 3
Number of host names: 1
Number of executables: 8
Number of commands: 11
Number of files: 78
Number of AVC's: 0
Number of MAC events: 2
Number of failed syscalls: 285
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 3
Number of process IDs: 85
Number of events: 400

# aureport -if 2020-06-26_11-50.log -ma

MAC Report
===================================
# date time auid type success event
===================================
1. 26/06/20 11:45:02 -1 USER_ROLE_CHANGE yes 5663
2. 26/06/20 11:49:59 1000 MAC_STATUS yes 6015

mm7
Posts: 3
Joined: 2020/07/02 12:42:42

Re: SELinux and OwnCloud

Post by mm7 » 2020/07/03 13:53:03

did you try

Code: Select all

ausearch -m avc -ts recent | audit2allow
right after you turn selinux on?

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: SELinux and OwnCloud

Post by MartinR » 2020/07/03 15:48:53

I've just done the following:
  • 16:26 SELinux tuned on, OwnCloud hangs.
  • 16:43:24 F5, fails.
  • 16:43:40 SELinux off
  • 16:44:00 F5, works.
Then:

Code: Select all

# cd /var/log/audit
# ausearch -m avc -ts recent >X
<no matches>
# ausearch -m avc -ts recent | audit2allow
<no matches>
Nothing to do
PS - no SELinux alerts reported in Cockpit either.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux and OwnCloud

Post by TrevorH » 2020/07/03 15:55:29

Use semodule -DB to disable the suppression of dontaudit events. Run in permissive to catch all avcs. Generate local policy from the audit log, re-enable dontaudit with semodule -B.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

[solved] Re: SELinux and OwnCloud

Post by MartinR » 2020/07/03 16:12:17

Following Trevor's instructions:

Code: Select all

# semodule -DB
# ausearch -m avc -ts recent >X
# ausearch -m avc -ts recent | audit2allow


#============= httpd_t ==============
allow httpd_t default_t:dir write;
allow httpd_t self:capability net_admin;

#============= policykit_t ==============
allow policykit_t policykit_auth_t:process { noatsecure rlimitinh siginh };
# ausearch -m avc -ts recent | audit2allow  -M fixselinux
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i fixselinux.pp

# semodule -i fixselinux.pp
# semodule -B
and it works when I switch SELinux on. This software gets more and more like Windows every day. :(

I've just rebooted with SELinux config'ed on and everything works. Thanks Trevor.

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: SELinux and OwnCloud

Post by MartinR » 2020/07/26 11:36:07

I've just got caught again by these hidden blocks. If there ever any reason to reenable the "dontaudit" events? To be realistic it is clear that I need to run with them disabled, or else just set SELinux to permissive and forget it as usual. I'm trying to avoid the latter on a new system, but at this rate it will be business as normal. :x

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

[solved] SELinux and OwnCloud

Post by MartinR » 2020/07/26 12:46:42

I've just been around the "clear error - reboot" loop three times and SELinux is still logging access denials from sources such as systemd, ip, iptables, cupsd, modprobe, chkpwd and others. I've tried, but its time to turn off SELinux and get a life. Trevor's fix worked for a while, but I fear the dark tentacles of the Potty monster is out to destroy rationality.

pjsr2
Posts: 614
Joined: 2014/03/27 20:11:07

Re: SELinux and OwnCloud

Post by pjsr2 » 2020/07/26 21:07:26

See the Owncloud documentation on configuring SElinux at: https://doc.owncloud.com/server/admin_m ... ation.html

Post Reply