SELinux AVC denials for x2t and ldd when creating ONLYOFFICE documents, Nextcloud, ONLYOFFICE, LAMP stack, Please Help

Nextcloud version (eg, 12.0.2): 18.0.3
Operating system and version (eg, Ubuntu 17.04): Red Hat 8, Fedora 30, Fedora 31
Apache or nginx version (eg, Apache 2.4.25): Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Sep 2 2019 14:31:45

PHP version (eg, 7.1): PHP 7.2.11 (cli) (built: Oct 9 2018 15:09:36) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.11, Copyright © 1999-2018, by Zend Technologies

The issue you are facing:

SELinux AVC denials for x2t and ldd when attempting to create ONLYOFFICE documents. This happens even after setting the SELinux contexts. Disabling SELinux or setting to permissive allows ONLYOFFICE to create and edit documents. SELinux log provided below. Red Hat suggested reaching out to Nextcloud for proper SELinux configuration.

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

  1. Install Fedora 30/31, Red Hat 8, dnf update
  2. Install LAMP stack
  3. Install Nextcloud and ONLYOFFICE and set SELinux contexts

The output of your Nextcloud log in Admin > Logging:



The output of your config.php file in `/path/to/nextcloud` (make sure you remove any identifiable information!):


<?php
$CONFIG = array (
  'instanceid' => 
  'passwordsalt' => 
  'secret' => '
  'trusted_domains' => 
  array (
    0 => '127.0.0.1',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '18.0.3.0',
  'overwrite.cli.url' => 'http://127.0.0.1/nextcloud',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 
  'dbpassword' => 
  'installed' => true,
);

The output of your Apache/nginx/system log in /var/log/____:


cat error_log 
[Mon Apr 06 12:58:14.183829 2020] [core:notice] [pid 2552:tid 139842081564928] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 12:58:14.184663 2020] [suexec:notice] [pid 2552:tid 139842081564928] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 12:58:24.215681 2020] [lbmethod_heartbeat:notice] [pid 2552:tid 139842081564928] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 12:58:24.216355 2020] [http2:warn] [pid 2552:tid 139842081564928] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 12:58:24.218795 2020] [mpm_event:notice] [pid 2552:tid 139842081564928] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 12:58:24.218833 2020] [core:notice] [pid 2552:tid 139842081564928] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 12:58:57.561122 2020] [autoindex:error] [pid 2585:tid 139841324943104] [client ::1:55336] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
[Mon Apr 06 13:22:31.453473 2020] [mpm_event:notice] [pid 2552:tid 139842081564928] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Apr 06 13:22:42.547813 2020] [core:notice] [pid 5145:tid 140268265429248] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 13:22:42.548585 2020] [suexec:notice] [pid 5145:tid 140268265429248] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 13:22:52.581862 2020] [lbmethod_heartbeat:notice] [pid 5145:tid 140268265429248] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 13:22:52.583311 2020] [http2:warn] [pid 5145:tid 140268265429248] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 13:22:52.589021 2020] [mpm_event:notice] [pid 5145:tid 140268265429248] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 13:22:52.589062 2020] [core:notice] [pid 5145:tid 140268265429248] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 13:25:42.144393 2020] [mpm_event:notice] [pid 5145:tid 140268265429248] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Apr 06 13:25:53.298883 2020] [core:notice] [pid 5661:tid 140001741211904] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 13:25:53.300408 2020] [suexec:notice] [pid 5661:tid 140001741211904] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 13:26:03.344024 2020] [lbmethod_heartbeat:notice] [pid 5661:tid 140001741211904] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 13:26:03.344544 2020] [http2:warn] [pid 5661:tid 140001741211904] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 13:26:03.346424 2020] [mpm_event:notice] [pid 5661:tid 140001741211904] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 13:26:03.346454 2020] [core:notice] [pid 5661:tid 140001741211904] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 14:28:08.461448 2020] [mpm_event:notice] [pid 5661:tid 140001741211904] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Apr 06 14:28:47.317529 2020] [core:notice] [pid 1039:tid 139776668571904] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 14:28:47.334331 2020] [suexec:notice] [pid 1039:tid 139776668571904] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using rehl8lab00.lab.net. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 06 14:28:47.636958 2020] [lbmethod_heartbeat:notice] [pid 1039:tid 139776668571904] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 14:28:47.637534 2020] [http2:warn] [pid 1039:tid 139776668571904] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 14:28:47.684515 2020] [mpm_event:notice] [pid 1039:tid 139776668571904] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 14:28:47.684571 2020] [core:notice] [pid 1039:tid 139776668571904] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 15:14:46.619176 2020] [mpm_event:notice] [pid 1039:tid 139776668571904] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Apr 06 15:14:57.801849 2020] [core:notice] [pid 10241:tid 140105645218048] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 15:14:57.802623 2020] [suexec:notice] [pid 10241:tid 140105645218048] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 15:15:07.831528 2020] [lbmethod_heartbeat:notice] [pid 10241:tid 140105645218048] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 15:15:07.833109 2020] [http2:warn] [pid 10241:tid 140105645218048] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 15:15:07.835787 2020] [mpm_event:notice] [pid 10241:tid 140105645218048] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 15:15:07.835827 2020] [core:notice] [pid 10241:tid 140105645218048] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 15:20:02.535082 2020] [mpm_event:notice] [pid 10241:tid 140105645218048] AH00492: caught SIGWINCH, shutting down gracefully
[Mon Apr 06 15:20:13.607161 2020] [core:notice] [pid 10828:tid 140660063467776] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Mon Apr 06 15:20:13.609695 2020] [suexec:notice] [pid 10828:tid 140660063467776] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 15:20:23.646709 2020] [lbmethod_heartbeat:notice] [pid 10828:tid 140660063467776] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 06 15:20:23.648334 2020] [http2:warn] [pid 10828:tid 140660063467776] AH02951: mod_ssl does not seem to be enabled
[Mon Apr 06 15:20:23.656362 2020] [mpm_event:notice] [pid 10828:tid 140660063467776] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Mon Apr 06 15:20:23.656391 2020] [core:notice] [pid 10828:tid 140660063467776] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 06 16:52:50.079204 2020] [mpm_event:notice] [pid 10828:tid 140660063467776] AH00492: caught SIGWINCH, shutting down gracefully
[Tue Apr 07 11:11:07.894906 2020] [core:notice] [pid 1047:tid 140680728234240] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Apr 07 11:11:07.907696 2020] [suexec:notice] [pid 1047:tid 140680728234240] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using rehl8lab00.lab.net. Set the 'ServerName' directive globally to suppress this message
[Tue Apr 07 11:11:08.110131 2020] [lbmethod_heartbeat:notice] [pid 1047:tid 140680728234240] AH02282: No slotmem from mod_heartmonitor
[Tue Apr 07 11:11:08.110836 2020] [http2:warn] [pid 1047:tid 140680728234240] AH02951: mod_ssl does not seem to be enabled
[Tue Apr 07 11:11:08.172009 2020] [mpm_event:notice] [pid 1047:tid 140680728234240] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Tue Apr 07 11:11:08.172035 2020] [core:notice] [pid 1047:tid 140680728234240] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Apr 07 16:44:45.959100 2020] [mpm_event:notice] [pid 1047:tid 140680728234240] AH00492: caught SIGWINCH, shutting down gracefully
[Wed Apr 08 10:31:26.357942 2020] [core:notice] [pid 1059:tid 140070458136832] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed Apr 08 10:31:26.369908 2020] [suexec:notice] [pid 1059:tid 140070458136832] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using rehl8lab00.lab.net. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 08 10:31:26.517517 2020] [lbmethod_heartbeat:notice] [pid 1059:tid 140070458136832] AH02282: No slotmem from mod_heartmonitor
[Wed Apr 08 10:31:26.518084 2020] [http2:warn] [pid 1059:tid 140070458136832] AH02951: mod_ssl does not seem to be enabled
[Wed Apr 08 10:31:26.540527 2020] [mpm_event:notice] [pid 1059:tid 140070458136832] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) configured -- resuming normal operations
[Wed Apr 08 10:31:26.574139 2020] [core:notice] [pid 1059:tid 140070458136832] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'



SELinux

Hi,

apologies in advance for the length.  But TLDR  SELinux is prevent ONLYOFFICE from working on NEXTCLOUD.  Please help.

I have been trying to get Nextcloud to work for about a week now and went through the installation multiple times on Fedora 31 and Red Hat 8.  I tried everything on bare metal and in a VM.  I think I also tried it on Fedora 30 as well.

I think that I figured a lot of things out by following various guides but now I hit an SELinux roadblock with ONLYOFFICE.  The issues are not DAC but SELinux related because everything works when SELinux is disabled or set to permissive mode. When SELinux is enabled, however, I am able to create but not edit ONLYOFFICE documents.  Further, attempting to create an ONLYOFFICE document of any king results in 2 AVC denials: x2t and ldd.  These denials are the same across all installs.  

It looks like x2t and ldd are executables that are being prevented from running.  

I went through some Redhat documentation (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/chap-security-enhanced_linux-targeted_policy).  It looks like there is a difference between contexts for files/directories and those for executables.  The context may be changed by [code]semanage fcontext -m[/code] or [code]semanage fcontext -a -t[/code].

I have tried changing the context for x2t but that simply resulted in another PHP denial for php-fpm.

I also reached out to Redhat as creating a policy module should be the last course of action.  It is also an issue that I am not sure about the security implications of creating these modules.  That said, Red Hat just says to either reach out to Nextcloud or to create the modules--I was hoping for a bit more to be honest.  So it seems that I am stuck here.

Here are some of the AVC denials that I am seeing after I changed the SE context for x2t.  Has anyone experienced anything like this?


SELinux is preventing /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t from execute access on the file /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so default label should be httpd_sys_script_exec_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that x2t should be allowed execute access on the libkernel.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'x2t' --raw | audit2allow -M my-x2t
# semodule -X 300 -i my-x2t.pp


Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                unconfined_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                /var/www/html/nextcloud/apps/documentserver_commun
                              ity/3rdparty/onlyoffice/documentserver/server/File
                              Converter/bin/libkernel.so [ file ]
Source                        x2t
Source Path                   /var/www/html/nextcloud/apps/documentserver_commun
                              ity/3rdparty/onlyoffice/documentserver/server/File
                              Converter/bin/x2t
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   5
First Seen                    2020-04-06 15:29:38 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      a9c76458-a7ac-47da-8a92-4995fc2e0bcb

Raw Audit Messages
type=AVC msg=audit(1586203733.868:263): avc:  denied  { execute } for  pid=12931 comm="x2t" path="/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/libkernel.so" dev="sda4" ino=19407675 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.868:263): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=4202d8 a2=5 a3=802 items=0 ppid=10822 pid=12931 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=x2t exe=/var/www/html/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: x2t,httpd_sys_script_t,httpd_sys_rw_content_t,file,execute

--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/bash from execute_no_trans access on the file /usr/lib64/ld-2.28.so.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed execute_no_trans access on the ld-2.28.so file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ldd' --raw | audit2allow -M my-ldd
# semodule -X 300 -i my-ldd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:ld_so_t:s0
Target Objects                /usr/lib64/ld-2.28.so [ file ]
Source                        ldd
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           bash-4.4.19-10.el8.x86_64
Target RPM Packages           glibc-2.28-72.el8_1.1.x86_64
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   5
First Seen                    2020-04-06 15:29:38 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      a5fc31eb-5ed2-49d5-acdf-f4b308d436df

Raw Audit Messages
type=AVC msg=audit(1586203733.930:265): avc:  denied  { execute_no_trans } for  pid=12934 comm="ldd" path="/usr/lib64/ld-2.28.so" dev="sda4" ino=62404 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.930:265): arch=x86_64 syscall=execve success=no exit=EACCES a0=560d3ad19e00 a1=560d3ad19e60 a2=560d3ad23130 a3=560d3ad10010 items=0 ppid=12932 pid=12934 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=ldd exe=/usr/bin/bash subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: ldd,httpd_t,ld_so_t,file,execute_no_trans

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/php-fpm from setattr access on the file x2t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that php-fpm should be allowed setattr access on the x2t file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_script_exec_t:s0
Target Objects                x2t [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-
                              fpm-7.2.11-4.module+el8.1.0+4555+f5cb8e18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rehl8lab00.lab.net
Platform                      Linux rehl8lab00.lab.net
                              4.18.0-147.5.1.el8_1.x86_64 #1 SMP Tue Jan 14
                              15:50:19 UTC 2020 x86_64 x86_64
Alert Count                   4
First Seen                    2020-04-06 16:03:21 EDT
Last Seen                     2020-04-06 16:08:53 EDT
Local ID                      1d6face0-44c5-4184-8262-3509483bf43c

Raw Audit Messages
type=AVC msg=audit(1586203733.869:264): avc:  denied  { setattr } for  pid=10822 comm="php-fpm" name="x2t" dev="sda4" ino=19407676 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_script_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1586203733.869:264): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f9fd0d58258 a1=1ed a2=7f9fe9052960 a3=7f9fe6c1c910 items=0 ppid=10819 pid=10822 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=chmod AUID=unset UID=apache GID=apache EUID=apache SUID=apache FSUID=apache EGID=apache SGID=apache FSGID=apache

Hash: php-fpm,httpd_t,httpd_sys_script_exec_t,file,setattr
2 Likes

I have the very same issue.