Omnis 10.1 headless on centos 8

Louis Kirouac lkirouac at gmail.com
Thu Apr 29 13:35:05 UTC 2021


Hi Josh and Bruno

Thanks for your advice.

Yesterday I realized that my problem was at another level, and that
homnis.service was NOT running if SELinux was in Enforcing mode,
but it was working in Disabled mode, including being able to open
osadmin.htm

So I was able in Permissive mode, I was able to discover and resolve the
issues SELinux had objection with

This is the changes I did:

[root at cilk3 ~]# journalctl -n 100

[root at cilk3 ~]# sealert -l 047ffe93-29ef-449b-98ce-0e510e3c7fb3

[root at cilk3 ~]# setsebool -P nis_enabled 1

[root at cilk3 ~]# semanage fcontext -d '/usr/local/omnisweb(/.*)?'
[root at cilk3 ~]# semanage fcontext -a -t httpd_sys_rw_content_t
'/usr/local/omnisweb(/.*)?'
[root at cilk3 ~]# restorecon -vR /usr/local/omnisweb

[root at cilk3 ~]# setsebool -P httpd_can_network_connect 1

There could be others that I didn't note down.

Now the homnis.service is running, and I am able to open osadmin.htm in
Enforcing mode.

But I do still get this error - warning:

[root at cilk3 ~]# sealert -l 6f805a1c-450b-42c6-9ba8-d9c39067e38e
SELinux is preventing
/usr/local/omnisweb/omnis-headless-app-server-10.1-29237/clientserver/server/remotedebug/node
from using the execmem access on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests
*********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be
compromised.
Do
contact your security administrator and report this issue

*****  Plugin catchall (9.59 confidence) suggests
**************************

If you believe that node should be allowed execmem access on processes
labeled init_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'node' --raw | audit2allow -M my-node
# semodule -X 300 -i my-node.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                Unknown [ process ]
Source                        node
Source Path
/usr/local/omnisweb/omnis-headless-app-server-10.1
                              -29237/clientserver/server/remotedebug/node
Port                          <Unknown>
Host                          cilk3
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cilk3
Platform                      Linux cilk3 4.18.0-301.1.el8.x86_64 #1 SMP
Tue Apr
                              13 16:24:22 UTC 2021 x86_64 x86_64
Alert Count                   8
First Seen                    2021-04-27 06:16:34 EDT
Last Seen                     2021-04-29 09:15:37 EDT
Local ID                      6f805a1c-450b-42c6-9ba8-d9c39067e38e

Raw Audit Messages
type=AVC msg=audit(1619702137.931:102): avc:  denied  { execmem } for
 pid=2040 comm="node" scontext=system_u:system_r:init_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0


type=SYSCALL msg=audit(1619702137.931:102): arch=x86_64 syscall=mprotect
success=no exit=EACCES a0=329fc1e04000 a1=7b000 a2=5 a3=9 items=0 ppid=2034
pid=2040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm=node
exe=/usr/local/omnisweb/omnis-headless-app-server-10.1-29237/clientserver/server/remotedebug/node
subj=system_u:system_r:init_t:s0 key=(null)

Hash: node,init_t,init_t,process,execmem

I don't use remotedebug, so for now I am setting it aside, and will
continue setting up my new VM on centos 8,



Louis Kirouac
514-248-2884


On Tue, 27 Apr 2021 at 08:49, Josh Luchies <josh.luchies at royalhomes.com>
wrote:

> Hey Louis,
>
> We had some issues with SE Linux for our Django websites, this may help
> with the issue you are facing as well.
>
> So the one thing I had trouble with was SELinux not allowing access to
> the error and requests logs in the deployment directories
> (/var/www/<hostname>) to allow this, I used the command    semanage
> fcontext -a -t https_log_t “/var/www/<hostname>
> <http://pricer.royalhomes.com>(/.*)?” Then I did   restore con -Rv
> /var/www/<hostname> <http://pricer.royalhomes.com> That seemed to allow
> apache to start properly and I could access the website (as my test)
> from the IP address.
>
> So hopefully this either gets you on the right track for using SELinux.
> For us, it was a permissions issue with the directories where the logs
> (and code) were stored.
>
> --
> Josh Luchies
> IT Administrator
> Royal Homes Limited
> Phone: 519 357 2606 ext 245
>
> _____________________________________________________________
> Manage your list subscriptions at http://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
>


More information about the omnisdev-en mailing list