SELinux AVC denials for x2t and ldd when creating ONLYOFFICE documents, Nextcloud, ONLYOFFICE, LAMP stack, Please Help

Hi,

apologies in advance for the length. But TLDR SELinux is prevent ONLYOFFICE from working on NEXTCLOUD. Please help.

I have been trying to get Nextcloud to work for about a week now and went through the installation multiple times on Fedora 31 and Red Hat 8. I tried everything on bare metal and in a VM. I think I also tried it on Fedora 30 as well.

I think that I figured a lot of things out by following various guides but now I hit an SELinux roadblock with ONLYOFFICE. The issues are not DAC but SELinux related because everything works when SELinux is disabled or set to permissive mode. When SELinux is enabled, however, I am able to create but not edit ONLYOFFICE documents. Further, attempting to create an ONLYOFFICE document of any king results in 2 AVC denials: x2t and ldd. These denials are the same across all installs.

It looks like x2t and ldd are executables that are being prevented from running.

I went through some Redhat documentation (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-targeted_policy). It looks like there is a difference between contexts for files/directories and those for executables. The context may be changed by semanage fcontext -m or semanage fcontext -a -t.

I have tried changing the context for x2t but that simply resulted in another PHP denial for php-fpm.

I also reached out to Redhat as creating a policy module should be the last course of action. It is also an issue that I am not sure about the security implications of creating these modules. That said, Red Hat just says to either reach out to Nextcloud or to create the modules–I was hoping for a bit more to be honest. So it seems that I am stuck here.

Here are some of the AVC denials that I am seeing after I changed the SE context for x2t. Has anyone experienced anything like this?

I also asked here (https://help.nextcloud.com/t/selinux-avc-denials-for-x2t-and-ldd-when-creating-onlyoffice-documents-nextcloud-onlyoffice-lamp-stack-please-help/77108) but no results yet.

Logs

SELinux is preventing /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t from execute access on the file /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so default label should be httpd_sys_script_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that x2t should be allowed execute access on the libkernel.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'x2t' --raw | audit2allow -M my-x2t
# semodule -X 300 -i my-x2t.pp


Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                unconfined_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                /var/www/html/nextcloud/apps/documentserver_commun
                              ity/3rdparty/onlyoffice/documentserver/server/File
                              Converter/bin/libkernel.so [ file ]
Source                        x2t
Source Path                   /var/www/html/nextcloud/apps/documentserver_commun
                              ity/3rdparty/onlyoffice/documentserver/server/File
                              Converter/bin/x2t
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   5
First Seen                    2020-04-06 15:29:38 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      a9c76458-a7ac-47da-8a92-4995fc2e0bcb

Raw Audit Messages
type=AVC msg=audit(1586203733.868:263): avc:  denied  { execute } for  pid=12931 comm="x2t" path="/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so" dev="sda4" ino=19407675 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.868:263): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=4202d8 a2=5 a3=802 items=0 ppid=10822 pid=12931 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=x2t exe=/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: x2t,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib64/ld-2.28.so.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed execute_no_trans access on the ld-2.28.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ldd' --raw | audit2allow -M my-ldd
# semodule -X 300 -i my-ldd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:ld_so_t:s0
Target Objects                /usr/lib64/ld-2.28.so [ file ]
Source                        ldd
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           bash-4.4.19-10.el8.x86_64
Target RPM Packages           glibc-2.28-72.el8_1.1.x86_64
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   5
First Seen                    2020-04-06 15:29:38 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      a5fc31eb-5ed2-49d5-acdf-f4b308d436df

Raw Audit Messages
type=AVC msg=audit(1586203733.930:265): avc:  denied  { execute_no_trans } for  pid=12934 comm="ldd" path="/usr/lib64/ld-2.28.so" dev="sda4" ino=62404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.930:265): arch=x86_64 syscall=execve success=no exit=EACCES a0=560d3ad19e00 a1=560d3ad19e60 a2=560d3ad23130 a3=560d3ad10010 items=0 ppid=12932 pid=12934 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=ldd exe=/usr/bin/bash subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: ldd,httpd_t,ld_so_t,file,execute_no_trans

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/php-fpm from setattr access on the file x2t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that php-fpm should be allowed setattr access on the x2t file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                x2t [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-
                              fpm-7.2.11-4.module+el8.1.0+4555+f5cb8e18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   4
First Seen                    2020-04-06 16:03:21 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      1d6face0-44c5-4184-8262-3509483bf43c

Raw Audit Messages
type=AVC msg=audit(1586203733.869:264): avc:  denied  { setattr } for  pid=10822 comm="php-fpm" name="x2t" dev="sda4" ino=19407676 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.869:264): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f9fd0d58258 a1=1ed a2=7f9fe9052960 a3=7f9fe6c1c910 items=0 ppid=10819 pid=10822 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=chmod AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: php-fpm,httpd_t,httpd_sys_script_exec_t,file,setattr

Have you looked through this documentation?-
https://docs.nextcloud.com/server/18/admin_manual/installation/selinux_configuration.html

Since you are running the nextcloud plugin.

Looking at the logs you posted, how about trying these commands, they are in the log outputs-

ausearch -c 'x2t' --raw | audit2allow -M my-x2t
semodule -X 300 -i my-x2t.pp
ausearch -c 'ldd' --raw | audit2allow -M my-ldd
semodule -X 300 -i my-ldd.pp
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -X 300 -i my-phpfpm.pp

Hi @TheCakeIsNaOH , thanks for the response.

I looked through the Nextcloud docs which do not mention creating SE policy modules. The Redhat documentation states that module creation should be the last resort. I asked Redhat about it and was directed to Nextcloud. Redhat also stated that I could try creating the modules but that evaluating security risks is up to me. I was hoping for a bit more considering that I am paying for the subscription–but may be I am just frustrated and this it beyond Redhat’s purview. I have reached out to Nextcloud but have not heard back yet.

As of now, I have not tried creating the semodle as of yet. One of the reasons is because it says do this to fix everything and I am not entirely sure of what is that I am fixing. Just concerned here because at some point this will be public facing right. I get the feeling that I will have to go through that. I am looking through the nextcloud, httpd and php logs now to see if I can get some sort of clue as to why these modules are needed when I set all the SELinux contexts properly. I also don’t yet understand why the Nextcloud docs direct setting httpd_sys_rw_content_t which result in x2t, php and ldd having issues. Why is ldd involved at (man states that it prints share object libraries and such). Am I missing something from my understanding of how this is supposed to work.

I also have not tried setting this up using snap on something like Ubuntu. Would that even help as I believe that Ubuntu/Debian do not enable SELinux by default or is it the firewall?

Also look at these issues, they are on the document server plugin github repository-