+5Hi,
Does any one know how to handle or fix this, within a hardened linux/rhel mediaagent server with selinux?
audit.log:
type=AVC msg=audit(1662726564.338:34): avc: denied { append } for pid=2248 comm="Galaxy" name="Galaxy.env" dev="sdb3" ino=45978 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0
Henk
Best answer by SparshGupta
Hi
I am a little puzzled here.
Here, the source and target contexts are “init_t” & “usr_t”.
It may not be related to “cvstorage_t” at all. Is /dev/sdb3 the physical device where commvault is installed? Or is this device being used as MA?
type=AVC msg=audit(1662726564.338:34): avc: denied { append } for pid=2248 comm="Galaxy" name="Galaxy.env" dev="sdb3" ino=45978 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0
The commands you have run to mitigate it might help, however I cannot say it with certainty at the moment.
Keep monitoring for a few more days to see if more avc denials are being logged.
Thanks,
Sparsh
Hello
Thank you for reaching out to us on this.
Are you seeing any specific CV services listed in the audit logging, or just the generic “Galaxy” tag?
If you are seeing specific services listed, please follow the steps here:
https://documentation.commvault.com/2022e/expert/24206_troubleshooting_selinux_configuration.html
Regards,
Josh
+5Hi,
Seen this but this is regarding appending a file (not services) so with me limited knowledge on this subject this is somehow difficult to understand what is going on.
How do I get rid of this notification / alert in the monitoring. By allowing this file or is this a fall positive?
Everything seems to work by the way.
Henk.
Hello
Is this happening on a Linux MA you installed, or a Hyperscale/ScaleProtect node?
Regards,
Josh
+17What process is linked to pid 2248?
+10+5Hi
Yes it was /opt/commvault.
My concern is that Commvault made its windows integration very simpel and out of the box. With RHEL it becomes somehow complex if you don’t have the knowledge about this subject. Enabling with cvsecurity.py on mediaagent server gives you more then you expected.
Note : the sdb3 location and file are also involved not only the mountpath which is the boot / root disk. So it seems this disk and probably /opt/commvault files are also involved.
But there is more, selinux als involves system deny on snmp deamons etc… so you have to mitigate also services and other 3th party files.
The articles asume you have a great understanding of selinux which I have not so much. This makes it harder to adopt this as a solution to support. All reports and in Commvault regarding ransomware is windows based ma servers.
+10Hi
This issue doesn’t seem to be occuring because of Ransomware protection. Was this working in beginning, and started giving error recently?
type=AVC msg=audit(1662726564.338:34): avc: denied { append } for pid=2248 comm="Galaxy" name="Galaxy.env" dev="sdb3" ino=45978 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0
My suspicion is that either SELinux labels might not be proper on the commvault installation path OR it might be a result of RedHat tightened security + a combination of manual settings enabled on client.
Please note that SELinux denies every action that it is not explicitly allowed by the SELinux policy.
Can you correct the SELinux labelling on Commvault directory by executing below commands?
# commvault stop
# semanage fcontext -a -t usr_t "/opt/commvault(/.*)?"
# /sbin/restorecon -vR /opt/commvault/*# commvault start
Once the above commands are executed and the denials are not noticed anymore, please follow BOL to enable ransomware protection (if that’s the end goal).
Thanks,
Sparsh
+5Hi Sparsh,
We added SELINUX after the installation of the mediaagent, no issues where found until they were discovered by a monitoring tool on the linux system (then we where alerted on these denied notifications)
Had some support on this and did the following.
With this (and also other services) denies are mitigated.
But if this is the correct way?
Havent tried your way of corrections yet.
# audit2allow -M mz-commvault-tweaks -a
# cat mz-commvault-tweaks.te
module commvault-tweaks 1.0;
require {
type snmpd_t;
type cvstorage_t;
type pcp_pmcd_t;
type setroubleshootd_t;
type sysstat_t;
class dir getattr;
class filesystem getattr;
}
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t cvstorage_t:filesystem getattr;
#============= setroubleshootd_t ==============
allow setroubleshootd_t cvstorage_t:dir getattr;
#============= snmpd_t ==============
allow snmpd_t cvstorage_t:filesystem getattr;
#============= sysstat_t ==============
allow sysstat_t cvstorage_t:filesystem getattr;
# semodule -i commvault-tweaks.pp
Rotate audit log (to reset audit.log file)
# pkill -SIGUSR1 auditd
+10Hi
I am a little puzzled here.
Here, the source and target contexts are “init_t” & “usr_t”.
It may not be related to “cvstorage_t” at all. Is /dev/sdb3 the physical device where commvault is installed? Or is this device being used as MA?
type=AVC msg=audit(1662726564.338:34): avc: denied { append } for pid=2248 comm="Galaxy" name="Galaxy.env" dev="sdb3" ino=45978 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0
The commands you have run to mitigate it might help, however I cannot say it with certainty at the moment.
Keep monitoring for a few more days to see if more avc denials are being logged.
Thanks,
Sparsh
+5/dev/sdb3 is indeed the physical (os) disk and the server is used as a mediaagent server. The mountpaths are direct attached LUNS over FC.
Monitoring the server and checking the audit logs, this alert did not occured anymore.
see also:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
