search

juju4 / ansible-MISP

ansible role to setup MISP, Malware Information Sharing Platform & Threat Sharing
BSD 2-Clause "Simplified" License
51 stars 21 forks source link

Getting an SELinux labelling issue on /var/www/MISP/app/tmp/cache/persistent/ #1

Closed cygnetix closed 5 years ago

cygnetix commented 6 years ago

Using: CentOS Linux release 7.5.1804 (Core)

I'm getting the following after running a playbook to apply the role:

==> /var/log/httpd/misp.local_error.log <==
[Sat Jun 30 00:20:55.445260 2018] [php7:warn] [pid 96330] [client 192.168.235.1:60756] PHP Warning:  _cake_core_ cache was unable to write 'cake_dev_en-au' to File cache in /var/www/MISP/app/Lib/cakephp/lib/Cake/Cache/Cache.php on line 327
[Sat Jun 30 00:20:55.445317 2018] [php7:warn] [pid 96330] [client 192.168.235.1:60756] PHP Warning:  /var/www/MISP/app/tmp/cache/persistent/ is not writable in /var/www/MISP/app/Lib/cakephp/lib/Cake/Cache/Engine/FileEngine.php on line 389

[Sat Jun 30 00:20:55.445360 2018] [php7:error] [pid 96330] [client 192.168.235.1:60756] PHP Fatal error:  Uncaught CacheException: Cache engine "_cake_core_" is not properly configured. Ensure required extensions are installed, and credentials/permissions are correct in /var/www/MISP/app/Lib/cakephp/lib/Cake/Cache/Cache.php:186\nStack trace:\n#0 /var/www/MISP/app/Lib/cakephp/lib/Cake/Cache/Cache.php(151): Cache::_buildEngine('_cake_core_')\n#1 /var/www/MISP/app/Config/core.php(270): Cache::config('_cake_core_', Array)\n#2 /var/www/MISP/app/Lib/cakephp/lib/Cake/Core/Configure.php(72): include('/var/www/MISP/a...')\n#3 /var/www/MISP/app/Lib/cakephp/lib/Cake/bootstrap.php(439): Configure::bootstrap(true)\n#4 /var/www/MISP/app/webroot/index.php(81): include('/var/www/MISP/a...')\n#5 {main}\n  thrown in /var/www/MISP/app/Lib/cakephp/lib/Cake/Cache/Cache.php on line 186

Running ausearch -m avc -ts recent show's it's an SELinux labelling issue and setenforce 0 works around the problem:

time->Sat Jun 30 00:17:11 2018
type=PROCTITLE msg=audit(1530281831.940:679): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1530281831.940:679): arch=c000003e syscall=87 success=yes exit=0 a0=7fef46a818b8 a1=1 a2=7fef46a818bf a3=7fef5576f870 items=0 ppid=96327 pid=96332 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1530281831.940:679): avc:  denied  { unlink } for  pid=96332 comm="httpd" name="myapp_cake_core_cake_console_eng" dev="dm-0" ino=51354795 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

The SELinux label for this directory, and possibly sub-directories, should be set to something that t_httpd can write to as part of the Ansible role.

Just adding a ticket now before I forget. I may find time to come back and fix it up with a PR but probably not any time soon.

cygnetix commented 6 years ago

PS: Awesome work on writing the role. It's saved me a heap of time! The install process for MISP is pretty long, but well worth the effort.

juju4 commented 6 years ago

It seems the ansible module (https://docs.ansible.com/ansible/latest/modules/sefcontext_module.html) regexp matching is not really recursive in https://github.com/juju4/ansible-MISP/blob/devel2/tasks/selinux-context.yml. For now, I moved to a non-idempotent chcon command call. Please test and confirm it's ok.

sadly can't test this part in travis with ubuntu kernel as no selinux.

juju4 commented 5 years ago

is this still an issue? Thanks

cygnetix commented 5 years ago

Hi Juju4,

I'd forgotten all about this.

I think I set the labels manually in the end, so didn't check - sorry. Certainly not an issue for me anymore and I can always reopen (or send a PR) if I find that it's not working in the future.

Thanks for such a prompt response and for all your awesome Ansible playbooks.