Mattermost and fapolicyd


You have a Mattermost deployment that you're seeing operation not permitted in the logs and are running a RHEL based deployment.



1. Stop `fapolicyd`

sudo systemctl stop fapolicyd

2. Test your issue with Mattermost right now. Was it fixed? Then continue onward.

3. Run the debug command

sudo fapolicyd --debug

4. Look for any denies, they will look like the below.

rule=15 dec=deny_audit perm=execute auid=-1 pid=19735
  exe=/opt/mattermost/bin/mattermost : path=/opt/mattermost/plugins/focalboard/server/dist/plugin-linux-amd64
  ftype=application/x-executable trust=0



You need to have Mattermost permitted within fapolicyd, follow the steps below for this.


1. Create a rule file The naming convention for your rule is **really** important here. It must come before the rule that's denying Mattermost. If you're using a stock fapolicyd then 80 works fine. You can check the deny rule with the troubleshooting steps.

  sudo touch /etc/fapolicyd/rules.d/80-mattermost.rules

2. Add the permissions into to the rule file.

  sudo vi /etc/fapolicyd/rules.d/80-mattermost.rules

Rule File:

  allow perm=execute exe=/user/bin/sudo trust=1 : dir=/opt/mattermost/ all trust=0
  allow perm=execute exe=/opt/mattermost/bin/mattermost : dir=/opt/mattermost all trust=0
  allow perm=execute exe=/user/lib/systemd/systemd trust=1 : dir=/opt/mattermost/ all trust=0

3. Check the rules will be applied, This command should say `Ruels have changed and should be updated`

  sudo fagenrules --check

4. Update the rules

  sudo fagenrules --load

5. Now restart mattermost.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.