Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux issue related to temporary csv-files and mysqld #20032

Open
hkotkanen opened this issue Nov 21, 2022 · 3 comments
Open

SELinux issue related to temporary csv-files and mysqld #20032

hkotkanen opened this issue Nov 21, 2022 · 3 comments
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base.
Milestone
For Prioritization

Comments

@hkotkanen
Copy link

hkotkanen commented Nov 21, 2022
edited

I’m running Matomo on a CentOS 7.9 machine and would like to keep SELinux in Enforcing mode. I’ve configured other required policies like allowing httpd to send mail, connect to the db and write to some directories. However, I still have one issue:

The problem are these temporary .csv files the Matomo is creating in matomo/tmp/assets/ directory (the path in the messages below is different for legacy reasons), which the database then wants to read. Below is an example snippet from the audit log, but there are other types of files as well causing the same kinds of messages, like matomo_archive_blobs and matomo_archive_invalidations.

time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13125): avc:  denied  { getattr } for  pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
----
time->Fri Nov 18 13:46:30 2022
...comm="mysqld" exe="/usr/libexec/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)
type=AVC msg=audit(1668771990.865:13126): avc:  denied  { open } for  pid=1356 comm="mysqld" path="/var/www/html/piwik/tmp/assets/matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668771990.865:13126): avc:  denied  { read } for  pid=1356 comm="mysqld" name="matomo_option-fece7c3471c1a6b7ddc97122ede00e19.csv" dev="dm-1" ino=302023178 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=1

I’m guessing this has to do with the LOAD DATA INFILE capability of the database which was marked as optional in the installation guide. I’m also guessing that it’s the Matomo app (i.e. httpd) that’s creating these temporary .csv files, which in my understanding means that they are necessarily going to get created with the httpd_sys_rw_content_t type, which the mysqld_t domain is not allowed to touch by default.

So one (the only?) way of solving this that I can think of would be to compile a new policy where processes marked as mysqld_t would be granted the getattr, open, and read permissions for files of type httpd_sys_rw_content_t, but I’d like to know if anyone knows of other, simpler ways to deal with this? Having to compile a new SELinux policy is a bit of a hassle, and also that kind of policy would be quite broad when considering the specificity of the actions being done here.

I thought it would be best to submit this is a documentation issue as it could be addressed in the installation guide but feel free to shuffle it around if another category would be more suitable.
@hkotkanen hkotkanen added the To Triage An issue awaiting triage by a Matomo core team member label Nov 21, 2022
@bx80
Copy link
Contributor

bx80 commented Nov 22, 2022

Hi @hkotkanen, thanks for reaching out on this one.

You are correct, the temporary .csv files are being created for LOAD DATA INFILE. Other than creating a new SELinux policy to allow the mysql process to access these files, the only other option I can see would be to disable use of LOAD DATA INFILE by adding enable_load_data_infile = 0 to the [General] section of config.ini.php which may or may not be a viable option for you depending on performance requirements.

I'll categorize this issue as a documentation update and assign it for prioritization. We should at least note in the installation guide that SELinux in enforcing mode will need policy changes in order for Matomo to work. A separate guide covering all SELinux changes required for Matomo installation would be even better. 🙂

@bx80 bx80 added c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. and removed To Triage An issue awaiting triage by a Matomo core team member labels Nov 22, 2022
@bx80 bx80 added this to the For Prioritization milestone Nov 22, 2022
@hkotkanen
Copy link
Author

Thanks for responding! I can try to contribute: here are the SELinux operations I needed to get Matomo running under Enforcing mode (CentOS 7.9). This is only for normal operation - automatic updates will not work (probably best to e.g. semanage permissive -a httpd_t before the update and -d after it).

# Quick and dirty to make the whole directory writable. Probably should be more specific!
semanage fcontext --add --type httpd_sys_rw_content_t "/var/www/html/matomo/tmp(/.*)?"
restorecon -vR /var/www/html/matomo/tmp

# SELinux booleans needed
setsebool httpd_can_network_connect_db on
setsebool httpd_can_sendmail on  # at least when using "local mail function" / postfix

Then the custom policy module contents in file mysqld-read-httpd_sys_rw_content_t.te:

module mysqld-read-httpd_sys_rw_content_t 1.0;

require {
        type mysqld_t;
        type httpd_sys_rw_content_t;
        class file { getattr read open };
}

allow mysqld_t httpd_sys_rw_content_t:file { read open getattr };

Steps needed to compile and install the new policy (creates intermediate files):

# Might need to install prerequisites
#yum install libsemanage-static

# Turn module into a binary .mod -file
checkmodule -M -m -o mysqld-read-httpd_sys_rw_content_t.mod mysqld-read-httpd_sys_rw_content_t.te

# Package it into an installable .pp file
semodule_package -o mysqld-read-httpd_sys_rw_content_t.pp -m mysqld-read-httpd_sys_rw_content_t.mod

# Install module
semodule -i mysqld-read-httpd_sys_rw_content_t.pp

I thought I had looked everywhere but wouldn't you know it, only after writing all this I came across this old issue where @pizzarabe already gave pretty much identical instructions! Well, maybe it'll now end up in an installation guide that's a bit more easy to find.

@bx80
Copy link
Contributor

bx80 commented Dec 5, 2022

Thanks for sharing @hkotkanen, that'll be really helpful when writing the guide 👍 It's also good to have confirmation that the required SELinux operations haven't changed much since the 2015 issue 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base.
Projects
None yet
Milestone
For Prioritization
Development

No branches or pull requests
2 participants
@hkotkanen @bx80