I have problem with SElinux privilages with docker, in docker i run mailcow but now i have a blank screen and looks like it might be problem with privilages.
Because diagnostic says this:
SELinux is preventing /usr/local/bin/php
from read access on the file /web/inc/init_db.inc.php
.
Audit log:
type=AVC msg=audit(1676319004.771:1087): avc: denied { read } for pid=14555 comm="php-fpm" name="init_db.inc.php" dev="dm-0" ino=135058961 scontext=system_u:system_r:container_t:s0:c706,c972 tcontext=system_u:object_r:container_file_t:s0:c89,c575 tclass=file permissive=0
type=SYSCALL msg=audit(1676319004.771:1087): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc4e15850 a1=8000 a2=0 a3=0 items=1 ppid=6637 pid=14555 auid=4294967295 uid=82 gid=82 euid=82 suid=82 fsuid=82 egid=82 sgid=82 fsgid=82 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/local/sbin/php-fpm" subj=system_u:system_r:container_t:s0:c706,c972 key=(null)
type=CWD msg=audit(1676319004.771:1087): cwd="/web"
type=PATH msg=audit(1676319004.771:1087): item=0 name="/web/inc/init_db.inc.php" inode=135058961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_file_t:s0:c89,c575 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
how can i solved it?
This is what i tried:
ausearch -c 'php' --raw | audit2allow -M my-php semodule -X 300 -i my-php.pp
and results are:
compilation failed:
my-php.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 15:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
[root@rhel ~]# semodule -X 300 -i my-php.pp
libsemanage.map_compressed_file: Unable to open my-php.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-php.pp
(No such file or directory).
semodule: Failed on my-php.pp!
2
Answers
Same issue inside RHEL 9.1 with SELinux enable. Also installed docker with mailcow but i tried these commands and didnt help to me.
did i do something wrong ? inside terminal login as root user:
but still encoutered problem:
SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php.
Okay after 30min, the solution helped but i have also problem with admin blank page so to fix both i did this:
Inside of file at the bottom i add:
so it looks like this:
exit nano and save then:
Updates have a habit of breaking things in high-security environments such as those with SELinux enabled. The same exact problem happened with me with my Mailcow installation under Centos Stream 9 (RHEL upstream).
This is happening because SELinux is blocking a php script within one docker container to perform an operation in the MariaDB container, as far as I can tell. This operation happens only once after the update to a specific version. What I did to solve the SELinux constraint violation without permanently disabling SELinux is to set it as permissive only temporarily, performing the update, then setting it back to enforcing mode. Basically, as the root user (or sudo), I executed the following commands:
The update.sh script is in mailcow-dockerized directory, usually in /opt. (/opt/mailcow-dockerized/update.sh)
Note: I know this is not the ideal solution, and the ideal is to have the update script running while SELinux is still in enforcing mode, but this solution is secure enough for me and probably most installations out there.