Mattermost and fapolicyd

Summary

You have a Mattermost deployment that you're seeing operation not permitted in the logs and are running a RHEL based deployment.

 

Troubleshooting

1. Stop `fapolicyd`

sudo systemctl stop fapolicyd

2. Test your issue with Mattermost right now. Was it fixed? Then continue onward.

3. Run the debug command

sudo fapolicyd --debug

4. Look for any denies, they will look like the below.

rule=15 dec=deny_audit perm=execute auid=-1 pid=19735
  exe=/opt/mattermost/bin/mattermost : path=/opt/mattermost/plugins/focalboard/server/dist/plugin-linux-amd64
  ftype=application/x-executable trust=0

 

Fix

You need to have Mattermost permitted within fapolicyd, follow the steps below for this.

 

1. Create a rule file The naming convention for your rule is **really** important here. It must come before the rule that's denying Mattermost. If you're using a stock fapolicyd then 80 works fine. You can check the deny rule with the troubleshooting steps.

  sudo touch /etc/fapolicyd/rules.d/80-mattermost.rules
  

2. Add the permissions into to the rule file.

  sudo vi /etc/fapolicyd/rules.d/80-mattermost.rules
  

Rule File:

  allow perm=execute exe=/user/bin/sudo trust=1 : dir=/opt/mattermost/ all trust=0
  allow perm=execute exe=/opt/mattermost/bin/mattermost : dir=/opt/mattermost all trust=0
  allow perm=execute exe=/user/lib/systemd/systemd trust=1 : dir=/opt/mattermost/ all trust=0
  

3. Check the rules will be applied, This command should say `Ruels have changed and should be updated`

  sudo fagenrules --check
  

4. Update the rules

  sudo fagenrules --load
  

5. Now restart mattermost.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.