Document SELinux requirements

akqopensystems commented 5 years ago

Issue

With an active SELinux the PDF module is not possible to generate a PDF Report.

To Reproduce

Set SELinux in permissive Mode and then it works.

Logs

Aug 15 10:13:39 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from read access on the file max_user_watches. For complete SELinux messages run: sealert -l 3178fdd6-90a9-435d-b8ed-4f187c6e9425
Aug 15 10:13:39 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from read access on the file max_user_watches.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from read access on the file max_user_watches. For complete SELinux messages run: sealert -l 3178fdd6-90a9-435d-b8ed-4f187c6e9425
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from read access on the file max_user_watches.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: failed to retrieve rpm info for /proc/sys/fs/inotify/max_user_watches
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from getattr access on the file /proc/sys/fs/inotify/max_user_watches. For complete SELinux messages run: sealert -l aea6d676-93f7-4ac9-8713-271e720a7879
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from getattr access on the file /proc/sys/fs/inotify/max_user_watches.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed getattr access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t. For complete SELinux messages run: sealert -l 17219901-9b4a-4d1e-821d-f0bab0b07f9e
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from create access on the netlink_kobject_uevent_socket labeled httpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed create access on netlink_kobject_uevent_socket labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t. For complete SELinux messages run: sealert -l a03ad1f3-e0b6-4d3d-a88d-95274a5da901
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from setopt access on the netlink_kobject_uevent_socket labeled httpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed setopt access on netlink_kobject_uevent_socket labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t. For complete SELinux messages run: sealert -l 617e8889-e2fe-4894-a925-5f530befe849
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from bind access on the netlink_kobject_uevent_socket labeled httpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed bind access on netlink_kobject_uevent_socket labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:40 XXXXXXXX setroubleshoot: SELinux is preventing /opt/google/chrome/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t. For complete SELinux messages run: sealert -l 403ca86a-5311-4182-87d6-0c4db233bf77
Aug 15 10:13:40 XXXXXXXX python: SELinux is preventing /opt/google/chrome/chrome from getattr access on the netlink_kobject_uevent_socket labeled httpd_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that chrome should be allowed getattr access on netlink_kobject_uevent_socket labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -i my-ThreadPoolForeg.pp#012
Aug 15 10:13:42 XXXXXXXX setroubleshoot: SELinux is preventing chrome from using the execmem access on a process. For complete SELinux messages run: sealert -l 79ec870a-fdd2-4262-86db-db493b8d5bee
Aug 15 10:13:42 XXXXXXXX python: SELinux is preventing chrome from using the execmem access on a process.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow httpd to execmem#012Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.#012#012Do#012setsebool -P httpd_execmem 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that chrome should be allowed execmem access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -i my-chrome.pp#012

Module version: pdfexport 0.9.1
Dependent module versions: idoreports (0.9.1), incubator (0.3.0), ipl (0.3.0), reactbundle (0.6.0), reporting (0.9.2)
Icinga Web 2 version and modules (System - About): icingaweb2 2.6.3
Chrome/Chromium version (google-chrome --version): Google Chrome 76.0.3809.100
Web browser and version: httpd 2.4.6
PHP version used (php --version): php 7.1.8 (rh-php71)
Server operating system and version: RHEL 7.6

OG2K commented 4 years ago

Dear,

That is not actually a bug. And this is correct, that SElinux blocked abnormal behaviour.

You should understand how does SElinux works to troubleshoot and control it. After reading that "documentaion" I started more deeper to understand SElinux philosophy and meaning: https://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf

First need to examine logs: start with emptying logs, tailing them and repeating an action, which does not work. Backup log, do not remove (otherwise need to touch it)

cp /var/log/audit/audit.log /var/log/audit/audit.log.202003121106
cat > /var/log/audit/audit.log

C-c

tail them tail -f /var/log/audit/audit.log | grep "denied"

understand them

grep "chrome" /var/log/audit/audit.log  | grep "denied" | grep "ptrace" | audit2allow
grep "chrome" /var/log/audit/audit.log  | grep "denied" | grep "exec" | audit2allow

finally make a SE module grep "chrome" /var/log/audit/audit.log | grep "denied" | audit2allow -a -M icinga_pdfexport

install module and check

semodule -i icinga_pdfexport.pp
semodule -l | grep pdfexport

switch SE booleans on, if needed

setsebool -P httpd_execmem true
setsebool -P httpd_can_network_connect true
getsebool -a | grep httpd

My environment: RHEL7.7

Annotation 2020-03-12 122704 - pdfreport selinux

nilmerg commented 3 years ago

Thanks @OG2K!

This is indeed more of a documentation issue.

Icinga / icingaweb2-module-pdfexport