2

In my sentinel master-slave mode; redis slave fails to write the dumps in /var/lib/redis/ with error:

Failed opening the RDB file dump.rdb (in server root dir /var/lib/redis) for saving: Permission denied

while the permissions is indeed correct:

# ls -la /var/lib/redis/
total 68
drwxr-xr-x.  2 redis redis    22 Apr 20 11:39 .
drwxr-xr-x. 28 root  root   4096 Apr 17 12:15 ..
-rw-r--r--.  1 redis redis 62460 Apr 20 11:37 dump.rdb

I looked at the selinux audit and could find some rejections and only in permissive mode I can see that redis process can write into the dir. like:

type=AVC msg=audit(1555741351.680:2719): avc:  denied  { getattr } for  pid=8638 comm="redis-server" path="/var/lib/redis/dump.rdb" dev="vdb1" ino=68 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

I tried various selinux permission grants like this one and can confirm that the semanage applied the rule:

# cat /var/log/audit/audit.log |grep redis |audit2allow redis-server
#semodule -i redis-server.pp

I did search here and there and could not get it done while enforcing selinux in a CentOS Linux release 7.6.1810 build with redis-3.2.12-2.el7.x86_64

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
h.safe
  • 131
  • 1
  • 7

1 Answers1

4

First, you should undo the changes you made with semodule; these were unnecessary and potentially destructive. You can use semodule -r redis-server (as that seems to be what you named the module) to remove it.

Second, the problem occurred because the file redis was trying to access did not have an SELinux label at all. Notice that its type was unlabeled_t. It's hard to say why this happened, but the usual cause is that the file was created while SELinux was disabled. The solution is simple: relabel the file with its default context.

(DO NOT PROCEED unless you actually removed the SELinux module as described above.)

restorecon -v /var/lib/redis/dump.rdb

Since you may well have run this system with SELinux disabled, there are likely to be many other incorrectly labeled or unlabeled files. I would just recursively relabel everything in the filesystem just to be safe and prevent future problems.

restorecon -rv /
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Michael, You did solve my issue and appreciate that, frankly the case might be as you said with selinux being disabled at the installation...While in general I am a selinux-compliant guy :) Again thank you – h.safe Apr 22 '19 at 06:46