xlxd and SELinux

TL;DR — If you’re not running an xlxd based reflector using SELinux you can skip this post.

I recently migrated the XLX reflector from Debian Stretch to Fedora FC30. Debian is the platform recommended by the software author, but xlxd runs fine under Fedora as well. However, since I’m running with SELinux enabled, there were a couple of issues to tackle.

SELinux tags filesystem elements with a security context and in some cases, xlxd fails to access certain files for which it does not have authorization. There are three files that will require some special attention.

xlxd.pid -- contains the running process number
xlxd.log -- the XML log file used by the dashboard
callinghome.php -- contains the hash value used for registration

In my system, the files are installed in the following directories:

/var/run/xlxd.pid
/var/log/xlxd.log
/var/lib/httpd/xlxd/callinghome.php

I had to create new rules to put the files in the correct security contexts.

semanage fcontext -a -t httpd_sys_content_t /var/log/xlxd.xml
semanage fcontext -a -t httpd_sys_content_t /var/run/xlxd.pid
semanage fcontext -a -t httpd_sys_rw_content_t \
/var/lib/httpd /xlxd/callinghome.php

One issue I discovered is that the contexts do not handle the creation of a new file. For that, I installed restorecond. This system daemon watches for specified files to be created and relabels the security context.

dnf install restorecon

Then, add the 3 fully pathed file names to /etc/selinux/targeted/contexts/files/file_contexts.local. Restart the restorecond service and you’re ready to start the xlxd, httpd, and php-fpm services.

A very useful command is ls -lZ. On an SELinux enabled system it will list the security context labels for each file.

ls -lZ
total 4
-rwxrwxrwx. 1 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 66 May 16 14:12 callinghome.php

Another useful command is restorecon. RTFM.

73

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments Protected by WP-SpamShield Anti-Spam