Skip to content

Instantly share code, notes, and snippets.

@coltoneshaw

coltoneshaw/Setup guide.md

Last active January 6, 2023 21:25
Show Gist options
  • Save coltoneshaw/ca7b532555bd16f67f7ee729ace91c92 to your computer and use it in GitHub Desktop.
Save coltoneshaw/ca7b532555bd16f67f7ee729ace91c92 to your computer and use it in GitHub Desktop.
Download ZIP
fapolicyd with Mattermost
Raw
repro.md

Summary

This will guide you in setting up fapolicyd to work with the mattermost binary, and how to setup a system with fapolicyd enabled.

You can find the official RHEL guide here under chapter 15.4.

Repro Steps

  1. Install Mattermost on a rhel 8 box
  2. Install fapolicyd with sudo yum install fapolicyd. Then start it with systemctl start fapolicyd
  3. Add a rules file for Mattermost
    • sudo touch /etc/fapolicyd/rules.d/80-mattermost.rules
    • sudo nano /etc/fapolicyd/rules.d/80-mattermost.rules
  4. Add some rules for Mattermost. 
    allow perm=execute exe=/user/bin/sudo trust=1 : dir=/opt/mattermost/ all trust=0
allow perm=execute exe=/user/lib/systemd/systemd trust=1 : dir=/opt/mattermost/ all trust=0
  5. Check the rules took and add them 
    sudo fagenrules --check
/usr/sbin/fagenrules: Rules have changed and should be updated
sudo fagenrules --load
  6. At this stage you should be able to start Mattermost like normal, the plugins will fail.
Raw
Setup guide.md

Summary

You are trying to use Mattermost and have fapolicyd enabled and want them to play nicely.

Steps

  1. Create a rule file The naming convention for your rule is really important here. It must come before the rule that's denying Mattermost. If you're using a stock fapolicyd then 80 works fine. You can check the deny rule with the troubleshooting steps.
sudo touch /etc/fapolicyd/rules.d/80-mattermost.rules
  1. Add the permissions into to the rule file.
sudo vi /etc/fapolicyd/rules.d/80-mattermost.rules

Rule File:

allow perm=execute exe=/user/bin/sudo trust=1 : dir=/opt/mattermost/ all trust=0
allow perm=execute exe=/opt/mattermost/bin/mattermost : dir=/opt/mattermost all trust=0
allow perm=execute exe=/user/lib/systemd/systemd trust=1 : dir=/opt/mattermost/ all trust=0
  1. Check the rules will be applied

This command should say Ruels have changed and should be updated

sudo fagenrules --check
  1. Update the rules
sudo fagenrules --load
  1. Now restart mattermost.
Raw
troubleshooting.md

Summary

If Mattermost or the plugin binaries cannot start, you can troubleshoot this with the below steps.

Additional troubleshooting steps can be found on the RHEL docs here

Troubleshooting

  1. Stop fapolicyd 
    sudo systemctl stop fapolicyd
  2. Test your issue with Mattermost right now. Was it fixed? Then continue onward.
  3. Run the debug command 
    sudo fapolicyd --debug
  4. Look for any denies. You can store the above in a file, but it kept yelling at me so i didn't. 
    rule=15 dec=deny_audit perm=execute auid=-1 pid=19735 exe=/opt/mattermost/bin/mattermost : path=/opt/mattermost/plugins/focalboard/server/dist/plugin-linux-amd64 ftype=application/x-executable trust=0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment