View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0015680CentOS-7kernelpublic2019-01-09 09:372019-12-26 12:17
Reporteragnaeux 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015680: SeLinux Kernel (3.10.0-957.1.3) error
DescriptionI found an issue with the new kernel which block map access to /dev/zero for the pagespeed module. Here are the log :

Audit.log :
type=AVC msg=audit(1547031688.122:94): avc: denied { map } for pid=5257 comm="httpd" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0

http error log :
[Wed Jan 09 10:24:37.481133 2019] [pagespeed:error] [pid 5429] [mod_pagespeed 1.13.35.2-0 @5429] Failed to mkdir /var/cache/mod_pagespeed/ purge /dBBL9jpbx73YIVsEhxe2.outputlock: No such file or directory

audit2allow :
# src="httpd_t" tgt="zero_device_t" class="chr_file", perms="map"
# comm="httpd" exe="" path="/dev/zero"
allow httpd_t zero_device_t:chr_file map;

I did not have this issue with the older kernel (3.10.0-862.14.4)
Steps To ReproducePurge the pagespeed cache
TagsNo tags attached.
abrt_hash
URL

Activities

leifh

leifh

2019-04-30 16:19

reporter   ~0034408

Could it be related to https://bugzilla.redhat.com/show_bug.cgi?id=1700758 ?

# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp

The above incantations seems do do the trick.
steamon

steamon

2019-12-25 12:40

reporter   ~0035890

I like to add that if I want to use page speed on Plesk I have to disable SELinux currently. This disables a part of the security of the OS. Can we get an ETA when this can be fixed? I know page speed is technically a feature and not needed to run Plesk or a Web server. Lately, Google search console is measuring page load speed and its feature is slowly becoming more important in the website's world.

Has anyone tested CentOS 8 with this?
TrevorH

TrevorH

2019-12-26 12:17

manager   ~0035896

We don't support systems with Plesk installed at all. However, perhaps you can fix it by reading the following links

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/selinux-policy-guide | http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html

Issue History

Date Modified Username Field Change
2019-01-09 09:37 agnaeux New Issue
2019-04-30 16:19 leifh Note Added: 0034408
2019-12-25 12:40 steamon Note Added: 0035890
2019-12-26 12:17 TrevorH Note Added: 0035896