Hi,
apologies in advance for the length. But TLDR SELinux is prevent ONLYOFFICE from working on NEXTCLOUD. Please help.
I have been trying to get Nextcloud to work for about a week now and went through the installation multiple times on Fedora 31 and Red Hat 8. I tried everything on bare metal and in a VM. I think I also tried it on Fedora 30 as well.
I think that I figured a lot of things out by following various guides but now I hit an SELinux roadblock with ONLYOFFICE. The issues are not DAC but SELinux related because everything works when SELinux is disabled or set to permissive mode. When SELinux is enabled, however, I am able to create but not edit ONLYOFFICE documents. Further, attempting to create an ONLYOFFICE document of any king results in 2 AVC denials: x2t and ldd. These denials are the same across all installs.
It looks like x2t and ldd are executables that are being prevented from running.
I went through some Redhat documentation (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-targeted_policy). It looks like there is a difference between contexts for files/directories and those for executables. The context may be changed by semanage fcontext -m or semanage fcontext -a -t.
I have tried changing the context for x2t but that simply resulted in another PHP denial for php-fpm.
I also reached out to Redhat as creating a policy module should be the last course of action. It is also an issue that I am not sure about the security implications of creating these modules. That said, Red Hat just says to either reach out to Nextcloud or to create the modules–I was hoping for a bit more to be honest. So it seems that I am stuck here.
Here are some of the AVC denials that I am seeing after I changed the SE context for x2t. Has anyone experienced anything like this?
I also asked here (https://help.nextcloud.com/t/selinux-avc-denials-for-x2t-and-ldd-when-creating-onlyoffice-documents-nextcloud-onlyoffice-lamp-stack-please-help/77108) but no results yet.
Logs
SELinux is preventing /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t from execute access on the file /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so default label should be httpd_sys_script_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that x2t should be allowed execute access on the libkernel.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'x2t' --raw | audit2allow -M my-x2t
# semodule -X 300 -i my-x2t.pp
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context unconfined_u:object_r:httpd_sys_rw_content_t:s0
Target Objects /var/www/html/nextcloud/apps/documentserver_commun
ity/3rdparty/onlyoffice/documentserver/server/File
Converter/bin/libkernel.so [ file ]
Source x2t
Source Path /var/www/html/nextcloud/apps/documentserver_commun
ity/3rdparty/onlyoffice/documentserver/server/File
Converter/bin/x2t
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rehl8lab00.lab.net
Platform Linux rehl8lab00.lab.net
4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
15:50:19 UTC 2020 x86_64 x86_64
Alert Count 5
First Seen 2020-04-06 15:29:38 EDT
Last Seen 2020-04-06 16:08:53 EDT
Local ID a9c76458-a7ac-47da-8a92-4995fc2e0bcb
Raw Audit Messages
type=AVC msg=audit(1586203733.868:263): avc: denied { execute } for pid=12931 comm="x2t" path="/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so" dev="sda4" ino=19407675 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1586203733.868:263): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=4202d8 a2=5 a3=802 items=0 ppid=10822 pid=12931 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=x2t exe=/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache
Hash: x2t,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib64/ld-2.28.so.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bash should be allowed execute_no_trans access on the ld-2.28.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ldd' --raw | audit2allow -M my-ldd
# semodule -X 300 -i my-ldd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:ld_so_t:s0
Target Objects /usr/lib64/ld-2.28.so [ file ]
Source ldd
Source Path /usr/bin/bash
Port <Unknown>
Host <Unknown>
Source RPM Packages bash-4.4.19-10.el8.x86_64
Target RPM Packages glibc-2.28-72.el8_1.1.x86_64
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rehl8lab00.lab.net
Platform Linux rehl8lab00.lab.net
4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
15:50:19 UTC 2020 x86_64 x86_64
Alert Count 5
First Seen 2020-04-06 15:29:38 EDT
Last Seen 2020-04-06 16:08:53 EDT
Local ID a5fc31eb-5ed2-49d5-acdf-f4b308d436df
Raw Audit Messages
type=AVC msg=audit(1586203733.930:265): avc: denied { execute_no_trans } for pid=12934 comm="ldd" path="/usr/lib64/ld-2.28.so" dev="sda4" ino=62404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1586203733.930:265): arch=x86_64 syscall=execve success=no exit=EACCES a0=560d3ad19e00 a1=560d3ad19e60 a2=560d3ad23130 a3=560d3ad10010 items=0 ppid=12932 pid=12934 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=ldd exe=/usr/bin/bash subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache
Hash: ldd,httpd_t,ld_so_t,file,execute_no_trans
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/php-fpm from setattr access on the file x2t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that php-fpm should be allowed setattr access on the x2t file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_script_exec_t:s0
Target Objects x2t [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host <Unknown>
Source RPM Packages php-
fpm-7.2.11-4.module+el8.1.0+4555+f5cb8e18.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rehl8lab00.lab.net
Platform Linux rehl8lab00.lab.net
4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
15:50:19 UTC 2020 x86_64 x86_64
Alert Count 4
First Seen 2020-04-06 16:03:21 EDT
Last Seen 2020-04-06 16:08:53 EDT
Local ID 1d6face0-44c5-4184-8262-3509483bf43c
Raw Audit Messages
type=AVC msg=audit(1586203733.869:264): avc: denied { setattr } for pid=10822 comm="php-fpm" name="x2t" dev="sda4" ino=19407676 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1586203733.869:264): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f9fd0d58258 a1=1ed a2=7f9fe9052960 a3=7f9fe6c1c910 items=0 ppid=10819 pid=10822 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=chmod AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache
Hash: php-fpm,httpd_t,httpd_sys_script_exec_t,file,setattr