redis fails to write the dump in /var/lib/redis in sellinux eforce mode

h.safe asked:

In my sentinel master-slave mode; redis slave fails to write the dumps in /var/lib/redis/ with error:

Failed opening the RDB file dump.rdb (in server root dir /var/lib/redis) for saving: Permission denied

while the permissions is indeed correct:

# ls -la /var/lib/redis/
total 68
drwxr-xr-x.  2 redis redis    22 Apr 20 11:39 .
drwxr-xr-x. 28 root  root   4096 Apr 17 12:15 ..
-rw-r--r--.  1 redis redis 62460 Apr 20 11:37 dump.rdb

I looked at the selinux audit and could find some rejections and only in permissive mode I can see that redis process can write into the dir. like:

type=AVC msg=audit(1555741351.680:2719): avc:  denied  { getattr } for  pid=8638 comm="redis-server" path="/var/lib/redis/dump.rdb" dev="vdb1" ino=68 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

I tried various selinux permission grants like this one and can confirm that the semanage applied the rule:

# cat /var/log/audit/audit.log |grep redis |audit2allow redis-server
#semodule -i redis-server.pp

I did search here and there and could not get it done while enforcing selinux in a CentOS Linux release 7.6.1810 build with redis-3.2.12-2.el7.x86_64

My answer:


First, you should undo the changes you made with semodule; these were unnecessary and potentially destructive. You can use semodule -r redis-server (as that seems to be what you named the module) to remove it.

Second, the problem occurred because the file redis was trying to access did not have an SELinux label at all. Notice that its type was unlabeled_t. It’s hard to say why this happened, but the usual cause is that the file was created while SELinux was disabled. The solution is simple: relabel the file with its default context.

(DO NOT PROCEED unless you actually removed the SELinux module as described above.)

restorecon -v /var/lib/redis/dump.rdb

Since you may well have run this system with SELinux disabled, there are likely to be many other incorrectly labeled or unlabeled files. I would just recursively relabel everything in the filesystem just to be safe and prevent future problems.

restorecon -rv /

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.