[SOLVED]SELINUX Denial at OTRS Install

[vinc535]

Just to share an experience here...

I installed OTRS 5.0.2 on a CentOS7 system with SELINUX enabled by following the installation steps of the manual:
systemctl stop mariadb.service
vi /etc/my.cnf
Change
max_allowed_packet = 20M
query_cache_size = 32M
innodb_log_file_size = 256M

rm -f /var/lib/mysql/ib_logfile0
rm -f /var/lib/mysql/ib_logfile1

systemctl start mariadb.service

cd /root/

yum install --nogpgcheck otrs-5.0.6-01.noarch.rpm
systemctl restart httpd.service
yum install --nogpgcheck otrs-5.0.6-01.noarch.rpm
systemctl restart httpd.service
(Yes, 2 times! Because 1st time OTRS folder was not created under opt)

cd /opt/otrs/bin
./otrs.CheckModules.pl

(install needed modules... example: yum install "perl(YAML::XS)" - yum install mod_perl {for the Apache2::Reload})

su otrs
shell> /opt/otrs/bin/otrs.Daemon.pl start
shell> /opt/otrs/bin/Cron.sh start
exit
---------------------------------------------------
---------------------------------------------------
But then when starting my Web browser to visit http://192.168.120.2/otrs/installer.pl, I came accross an HTTP ERROR 500.
Looking at my Log file: less +F /var/log/httpd/error_log... I could understand that a folder was not writable:
*********************************************
[Thu Feb 04 18:54:28.078800 2016] [:error] [pid 8726] mkdir /opt/otrs/var/tmp/CacheFileStorable: Permission denied at /opt/otrs//Kernel/System/Cache/FileStorable.pm line 87.
ERROR: OTRS-CGI-10 Perl: 5.16.3 OS: linux Time: Thu Feb 4 18:55:12 2016
Message: Can't create directory '/opt/otrs/var/tmp/CacheFileStorable':
RemoteAddress: 192.168.120.23
RequestURI: /otrs/installer.pl
*********************************************
So I made it writable doing this (this changes the security context for the folder and sub-folders, making it writable):
chcon -R -t httpd_cache_t /opt/otrs/var/tmp/

Then I tried from a Webbrowser the installer at this address and it could run fine:
http://192.168.120.2/otrs/installer.pl

After the installation, I also had to do this for OTRS to really work correctly:

# setsebool -P httpd_can_network_connect=on
# cd /root/
# vi otrs.te
------in the otrs.te file, I pasted all this:-------
module otrs 1.0;

require {
type bin_t;
type fs_t;
type httpd_t;
type unconfined_t;
type user_tmpfs_t;
class dir { add_name create read remove_name write };
class file { create read setattr unlink write };
class filesystem { associate };
class shm { associate getattr read unix_read unix_write write };
}

allow httpd_t bin_t:dir add_name;
allow httpd_t bin_t:dir remove_name;
allow httpd_t bin_t:dir write;
allow httpd_t bin_t:file create;
allow httpd_t bin_t:file unlink;
allow httpd_t bin_t:file write;
allow httpd_t fs_t:filesystem associate;
allow httpd_t httpd_t:dir add_name;
allow httpd_t httpd_t:dir create;
allow httpd_t httpd_t:dir read;
allow httpd_t httpd_t:dir remove_name;
allow httpd_t httpd_t:dir write;
allow httpd_t httpd_t:file create;
allow httpd_t httpd_t:file setattr;
allow httpd_t httpd_t:file unlink;
allow httpd_t user_tmpfs_t:file read;
allow httpd_t user_tmpfs_t:file write;
allow httpd_t unconfined_t:shm associate;
allow httpd_t unconfined_t:shm getattr;
allow httpd_t unconfined_t:shm read;
allow httpd_t unconfined_t:shm unix_read;
allow httpd_t unconfined_t:shm unix_write;
allow httpd_t unconfined_t:shm write;
---------end of the past----------

# checkmodule -M -m otrs.te -o otrs.mod
# semodule_package -o otrs.pp -m otrs.mod
# semodule -i otrs.pp

And from now on everything seems fine.

Reminder: My SELINUX is in Enforcing and I have firewalld activated.

[jjurkus]

Next time you might want to set selinux to permissive for a while, and make a policy afterwards.

Code: Select all

# setenforce 0
# yum install setroubleshoot-server
# vi /etc/selinux/config
set: SELINUX=permissive

# cat /var/log/audit/audit.log | audit2allow -l -v -m local > otrs.te
# checkmodule -M -m -o otrs.mod otrs.te
# semodule_package -o otrs.pp -m otrs.mod
# semodule -v -i otrs.pp

Check your selinux status bij executing sestatus. Do NOT disable selinux, only set it to permissive!

BTW, OTRS 5.0.6 is available, so you might want to install that while you're busy?

[vinc535]

jjurkus, Thank you. I installed 5.0.6, yes.
What I did for SELINUX is this:

# setsebool -P httpd_can_network_connect=on
# cd /root/
# vi otrs.te
------in the otrs.te file, I pasted all this:-------
module otrs 1.0;

require {
type bin_t;
type fs_t;
type httpd_t;
type unconfined_t;
type user_tmpfs_t;
class dir { add_name create read remove_name write };
class file { create read setattr unlink write };
class filesystem { associate };
class shm { associate getattr read unix_read unix_write write };
}

allow httpd_t bin_t:dir add_name;
allow httpd_t bin_t:dir remove_name;
allow httpd_t bin_t:dir write;
allow httpd_t bin_t:file create;
allow httpd_t bin_t:file unlink;
allow httpd_t bin_t:file write;
allow httpd_t fs_t:filesystem associate;
allow httpd_t httpd_t:dir add_name;
allow httpd_t httpd_t:dir create;
allow httpd_t httpd_t:dir read;
allow httpd_t httpd_t:dir remove_name;
allow httpd_t httpd_t:dir write;
allow httpd_t httpd_t:file create;
allow httpd_t httpd_t:file setattr;
allow httpd_t httpd_t:file unlink;
allow httpd_t user_tmpfs_t:file read;
allow httpd_t user_tmpfs_t:file write;
allow httpd_t unconfined_t:shm associate;
allow httpd_t unconfined_t:shm getattr;
allow httpd_t unconfined_t:shm read;
allow httpd_t unconfined_t:shm unix_read;
allow httpd_t unconfined_t:shm unix_write;
allow httpd_t unconfined_t:shm write;
---------end of the past----------

# checkmodule -M -m otrs.te -o otrs.mod
# semodule_package -o otrs.pp -m otrs.mod
# semodule -i otrs.pp

And from now on everything seems fine.
Did I do right ? Was there a better way or simpler or more secure way?

My SELINUX is in Enforcing and I have firewalld activated.