View Issue Details

IDProjectCategoryView StatusLast Update
0015680CentOS-7kernelpublic2020-06-01 20:35
Reporteragnaeux 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015680: SeLinux Kernel (3.10.0-957.1.3) error
DescriptionI found an issue with the new kernel which block map access to /dev/zero for the pagespeed module. Here are the log :

Audit.log :
type=AVC msg=audit(1547031688.122:94): avc: denied { map } for pid=5257 comm="httpd" path="/dev/zero" dev="devtmpfs" ino=1030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zero_device_t:s0 tclass=chr_file permissive=0

http error log :
[Wed Jan 09 10:24:37.481133 2019] [pagespeed:error] [pid 5429] [mod_pagespeed 1.13.35.2-0 @5429] Failed to mkdir /var/cache/mod_pagespeed/ purge /dBBL9jpbx73YIVsEhxe2.outputlock: No such file or directory

audit2allow :
# src="httpd_t" tgt="zero_device_t" class="chr_file", perms="map"
# comm="httpd" exe="" path="/dev/zero"
allow httpd_t zero_device_t:chr_file map;

I did not have this issue with the older kernel (3.10.0-862.14.4)
Steps To ReproducePurge the pagespeed cache
TagsNo tags attached.
abrt_hash
URL

Activities

leifh

leifh

2019-04-30 16:19

reporter   ~0034408

Could it be related to https://bugzilla.redhat.com/show_bug.cgi?id=1700758 ?

# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp

The above incantations seems do do the trick.
steamon

steamon

2019-12-25 12:40

reporter   ~0035890

I like to add that if I want to use page speed on Plesk I have to disable SELinux currently. This disables a part of the security of the OS. Can we get an ETA when this can be fixed? I know page speed is technically a feature and not needed to run Plesk or a Web server. Lately, Google search console is measuring page load speed and its feature is slowly becoming more important in the website's world.

Has anyone tested CentOS 8 with this?
TrevorH

TrevorH

2019-12-26 12:17

manager   ~0035896

We don't support systems with Plesk installed at all. However, perhaps you can fix it by reading the following links

Useful resources for SELinux: http://wiki.centos.org/HowTos/SELinux | http://wiki.centos.org/TipsAndTricks/SelinuxBooleans | http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/ | http://www.youtube.com/watch?v=bQqX3RWn0Yw | http://opensource.com/business/13/11/selinux-policy-guide | http://freecomputerbooks.com/The-SELinux-Notebook-The-Foundations.html
benyaminl

benyaminl

2020-06-01 19:36

reporter   ~0037014

Hello. I don't use plesk and I experince the same problem. Can you maybe give any suggestion other than disabling selinux? Thank you.

[root@centos ~]# uname -msr
Linux 3.10.0-1127.8.2.el7.x86_64 x86_64
[root@centos ~]# lsb_release
LSB Version: :core-4.1-amd64:core-4.1-noarch
[root@centos ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.8.2003 (Core)
Release: 7.8.2003
Codename: Core
[root@centos ~]#
benyaminl

benyaminl

2020-06-01 19:59

reporter   ~0037015

This's the log attached

audit+error_log.zip (294,692 bytes)
ManuelWolfshant

ManuelWolfshant

2020-06-01 20:35

manager   ~0037016

Given that mod_pagespeed is not provided by CentOS, lack of proper built-in support is not much of a surprise. The only way forward is to move this discussion to bugzilla.redhat.com and persuade the RH maintainers of the selinux packages to include support for it.

Issue History

Date Modified Username Field Change
2019-01-09 09:37 agnaeux New Issue
2019-04-30 16:19 leifh Note Added: 0034408
2019-12-25 12:40 steamon Note Added: 0035890
2019-12-26 12:17 TrevorH Note Added: 0035896
2020-06-01 19:36 benyaminl Note Added: 0037014
2020-06-01 19:59 benyaminl File Added: audit+error_log.zip
2020-06-01 19:59 benyaminl Note Added: 0037015
2020-06-01 20:35 ManuelWolfshant Note Added: 0037016