Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 5. Troubleshooting problems related to SELinux
If you plan to enable SELinux on systems where it has been previously disabled, or if you run a service in a non-standard configuration, you might need to troubleshoot situations that could be blocked by SELinux. Note that in most cases, SELinux denials are signs of misconfiguration.
5.1. Identifying SELinux denials
Identify problems related to SELinux by searching Audit logs for Access Vector Cache (AVC) denial messages. Checking the AVC logs helps quickly determine if SELinux is blocking your intended operation.
When your scenario is blocked by SELinux, the /var/log/audit/audit.log file is the first place to check for more information about a denial. To query Audit logs, use the ausearch tool.
Follow only the necessary steps from this procedure; in most cases, you need to perform just step 1.
Procedure
Because the SELinux decisions, such as allowing or disallowing access, are cached and this cache is known as AVC, use the
AVCandUSER_AVCvalues for the message type parameter, for example:ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recentCopy to Clipboard Copied! Toggle word wrap Toggle overflow If there are no matches, check if the Audit daemon is running. If it does not, repeat the denied scenario after you start
auditdand check the Audit log again.In case
auditdis running, but there are no matches in the output ofausearch, check messages provided by thesystemdJournal:journalctl -t setroubleshoot
# journalctl -t setroubleshootCopy to Clipboard Copied! Toggle word wrap Toggle overflow If SELinux is active and the Audit daemon is not running on your system, then search for certain SELinux messages in the output of the
dmesgcommand:dmesg | grep -i -e type=1300 -e type=1400
# dmesg | grep -i -e type=1300 -e type=1400Copy to Clipboard Copied! Toggle word wrap Toggle overflow Even after the previous three checks, it is still possible that you have not found anything. In this case, AVC denials can be silenced because of
dontauditrules.To temporarily disable
dontauditrules, allowing all denials to be logged:semodule -DB
# semodule -DBCopy to Clipboard Copied! Toggle word wrap Toggle overflow After re-running your denied scenario and finding denial messages by using the previous steps, the following command enables
dontauditrules in the policy again:semodule -B
# semodule -BCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you apply all four previous steps, and the problem still remains unidentified, consider if SELinux really blocks your scenario:
Switch to permissive mode:
setenforce 0 getenforce Permissive
# setenforce 0 $ getenforce PermissiveCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Repeat your scenario.
If the problem persists, something other than SELinux is blocking your scenario.
5.2. Analyzing SELinux denial messages
Analyze SELinux denial messages to understand the root cause before applying a fix. After identifying that SELinux is blocking your scenario, this crucial step helps confirm that the issue is truly policy-related and not a different misconfiguration.
Prerequisites
-
The
policycoreutils-python-utilsandsetroubleshoot-serverpackages are installed on your system.
Procedure
List more details about a logged denial using the
sealertcommand, for example:sealert -l "*" SELinux is preventing /usr/bin/passwd from write access on the file /root/test. ***** Plugin leaks (86.2 confidence) suggests ***************************** If you want to ignore passwd trying to write access the test file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do ausearch -x /usr/bin/passwd --raw | audit2allow -D -M my-passwd semodule -X 300 -i my-passwd.pp ***** Plugin catchall (14.7 confidence) suggests ************************** … Raw Audit Messages type=AVC msg=audit(1553609555.619:127): avc: denied { write } for pid=4097 comm="passwd" path="/root/test" dev="dm-0" ino=17142697 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 … Hash: passwd,passwd_t,admin_home_t,file,write$ sealert -l "*" SELinux is preventing /usr/bin/passwd from write access on the file /root/test. ***** Plugin leaks (86.2 confidence) suggests ***************************** If you want to ignore passwd trying to write access the test file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # ausearch -x /usr/bin/passwd --raw | audit2allow -D -M my-passwd # semodule -X 300 -i my-passwd.pp ***** Plugin catchall (14.7 confidence) suggests ************************** … Raw Audit Messages type=AVC msg=audit(1553609555.619:127): avc: denied { write } for pid=4097 comm="passwd" path="/root/test" dev="dm-0" ino=17142697 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 … Hash: passwd,passwd_t,admin_home_t,file,writeCopy to Clipboard Copied! Toggle word wrap Toggle overflow If the output obtained in the previous step does not contain clear suggestions:
Enable full-path auditing to see full paths to accessed objects and to make additional Linux Audit event fields visible:
auditctl -w /etc/shadow -p w -k shadow-write
# auditctl -w /etc/shadow -p w -k shadow-writeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Clear the
setroubleshootcache:rm -f /var/lib/setroubleshoot/setroubleshoot.xml
# rm -f /var/lib/setroubleshoot/setroubleshoot.xmlCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Reproduce the problem.
Repeat step 1.
After you finish the process, disable full-path auditing:
auditctl -W /etc/shadow -p w -k shadow-write
# auditctl -W /etc/shadow -p w -k shadow-writeCopy to Clipboard Copied! Toggle word wrap Toggle overflow
-
If
sealertreturns onlycatchallsuggestions or suggests adding a new rule by using theaudit2allowcommand, match your problem with examples listed and explained in SELinux denials in the Audit log.
5.3. Fixes of analyzed SELinux denials
Fix SELinux policy problems, prioritizing labeling issues and configuration adjustments suggested by the sealert command. Avoid immediately generating local policy modules unless other troubleshooting steps fail.
In most cases, suggestions provided by sealert provide the correct guidance about how to fix problems related to the SELinux policy. See Analyzing SELinux denial messages for information on how to use sealert to analyze SELinux denials.
Be careful when the tool suggests using the audit2allow command for configuration changes. You should not use audit2allow to generate a local policy module as your first option when you see an SELinux denial. Troubleshooting should start with checking whether the problem is in the labeling. The second most common case is that you changed a process configuration, and you forgot to tell SELinux about it.
- Labeling problems
A common cause of labeling problems is when a non-standard directory is used for a service. For example, instead of using
/var/www/html/for a website, an administrator might want to use/srv/myweb/. On Red Hat Enterprise Linux, the/srvdirectory is labeled with thevar_ttype. Files and directories created in/srvinherit this type. Also, newly-created objects in top-level directories, such as/myserver, can be labeled with thedefault_ttype. SELinux prevents the Apache HTTP Server (httpd) from accessing both of these types. To allow access, SELinux must know that the files in/srv/myweb/are to be accessible byhttpd:semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"
# semanage fcontext -a -t httpd_sys_content_t "/srv/myweb(/.*)?"Copy to Clipboard Copied! Toggle word wrap Toggle overflow This
semanagecommand adds the context for the/srv/myweb/directory and all files and directories under it to the SELinux file-context configuration. Thesemanageutility does not change the context. As root, use therestoreconutility to apply the changes:restorecon -R -v /srv/myweb
# restorecon -R -v /srv/mywebCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Incorrect context
The
matchpathconcommand checks the context of a file path and compares it to the default label for that path. The following example demonstrates the use ofmatchpathconon a directory that contains incorrectly labeled files:matchpathcon -V /var/www/html/* /var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0
$ matchpathcon -V /var/www/html/* /var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0 /var/www/html/page1.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow In this example, the
index.htmlandpage1.htmlfiles are labeled with theuser_home_ttype. This type is used for files in user home directories. Using themvcommand to move files from your home directory might result in files being labeled with theuser_home_ttype. This type should not exist outside of home directories. Use therestoreconutility to restore such files to their correct type:restorecon -v /var/www/html/index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0
# restorecon -v /var/www/html/index.html restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow To restore the context for all files under a directory, use the
-Roption:restorecon -R -v /var/www/html/ restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0
# restorecon -R -v /var/www/html/ restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Confined applications configured in non-standard ways
You can run services in various ways. To account for that, you must specify how you run your services. You can achieve this through SELinux booleans that enable changing parts of the SELinux policy at runtime. This enables changes, such as allowing services access to NFS volumes, without reloading or recompiling SELinux policy. Also, running services on non-default port numbers requires policy configuration to be updated using the
semanagecommand.For example, to allow the Apache HTTP Server to communicate with MariaDB, enable the
httpd_can_network_connect_dbboolean:setsebool -P httpd_can_network_connect_db on
# setsebool -P httpd_can_network_connect_db onCopy to Clipboard Copied! Toggle word wrap Toggle overflow Note that the
-Poption makes the setting persistent across system restarts.If SELinux denies access for a particular service, use the
getseboolandgreputilities to see if any booleans are available to allow access. For example, use thegetsebool -a | grep ftpcommand to search for FTP related booleans:getsebool -a | grep ftp ftpd_anon_write --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_nfs --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> off
$ getsebool -a | grep ftp ftpd_anon_write --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_nfs --> off ftpd_connect_db --> off httpd_enable_ftp_server --> off tftp_anon_write --> offCopy to Clipboard Copied! Toggle word wrap Toggle overflow To get a list of booleans and to discover if they are enabled or disabled, use the
getsebool -acommand. To get a list of booleans, including their meaning and states, install theselinux-policy-develpackage and use thesemanage boolean -lcommand as root.- Port numbers
Depending on policy configuration, services can only be allowed to run on certain port numbers. Attempting to change the port a service runs on without changing policy might result in the service failing to start. For example, run the
semanage port -l | grep httpcommand as root to listhttprelated ports:semanage port -l | grep http http_cache_port_t tcp 3128, 8080, 8118 http_cache_port_t udp 3130 http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
# semanage port -l | grep http http_cache_port_t tcp 3128, 8080, 8118 http_cache_port_t udp 3130 http_port_t tcp 80, 443, 488, 8008, 8009, 8443 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
http_port_tport type defines the ports Apache HTTP Server can listen on, which in this case, are TCP ports 80, 443, 488, 8008, 8009, and 8443. If an administrator configureshttpd.confso thathttpdlistens on port 9876 (Listen 9876), but policy is not updated to reflect this, the following command fails:systemctl start httpd.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: failed (Result: exit-code) since Thu 2013-08-15 09:57:05 CEST; 59s ago Process: 16874 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS) Process: 16870 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
# systemctl start httpd.service Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. # systemctl status httpd.service httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) Active: failed (Result: exit-code) since Thu 2013-08-15 09:57:05 CEST; 59s ago Process: 16874 ExecStop=/usr/sbin/httpd $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS) Process: 16870 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)Copy to Clipboard Copied! Toggle word wrap Toggle overflow An SELinux denial message similar to the following is logged to
/var/log/audit/audit.log:type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_sockettype=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=4997 comm="httpd" src=9876 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socketCopy to Clipboard Copied! Toggle word wrap Toggle overflow To allow
httpdto listen on a port that is not listed for thehttp_port_tport type, use thesemanage portcommand to assign a different label to the port:semanage port -a -t http_port_t -p tcp 9876
# semanage port -a -t http_port_t -p tcp 9876Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
-aoption adds a new record; the-toption defines a type; and the-poption defines a protocol. The last argument is the port number to add.- Corner cases, evolving or broken applications, and compromised systems
Applications can contain bugs that cause SELinux to deny access. Also, SELinux rules must evolve. The SELinux policy might lack a rule for an application running in a specific way, potentially causing it to deny access even though the application is working as expected. For example, if a new version of PostgreSQL is released, it might perform actions the current policy does not account for, resulting in denied access even though it should be allowed.
For these situations, after access is denied, use the
audit2allowutility to create a custom policy module to allow access. You can report missing rules in the SELinux policy by filing a support case on the Red Hat Customer Portal. Mention theselinux-policycomponent and include the output of theaudit2allow -w -aandaudit2allow -acommands in the case.If an application asks for major security privileges, it could be a signal that the application is compromised. Use intrusion detection tools to inspect such suspicious behavior.
The Solution Engine on the Red Hat Customer Portal can also provide guidance in the form of an article containing a possible solution for the same or very similar problem you have. Select the relevant product and version and use SELinux-related keywords, such as selinux or avc, together with the name of your blocked service or application, for example:
selinux samba.
5.4. Creating a local SELinux policy module
Create and add specific local SELinux policy modules to fix problems related to known issues or implement specific Red Hat solutions. Use extreme caution and only apply rules provided directly by Red Hat.
Adding specific SELinux policy modules to an active SELinux policy can fix certain problems with the SELinux policy. You can use this procedure to fix a specific Known Issue described in Red Hat release notes or to implement a particular Red Hat Solution.
Use only rules provided by Red Hat. Red Hat does not support creating SELinux policy modules with custom rules because this falls outside of the Production Support Scope of Coverage. If you are not an expert, contact your Red Hat sales representative and request consulting services.
Prerequisites
-
The
setools-consoleandauditpackages for verification.
Procedure
Open a new
.cilfile with a text editor, for example:vi <local_module>.cil
# vi <local_module>.cilCopy to Clipboard Copied! Toggle word wrap Toggle overflow To keep your local modules better organized, use the
local_prefix in the names of local SELinux policy modules.Insert the custom rules from a Known Issue or a Red Hat Solution.
ImportantDo not write your own rules. Use only the rules provided in a specific Known Issue or Red Hat Solution.
For example, to resolve SELinux denies cups-lpd read access to cups.sock in RHEL, insert the following rule:
(allow cupsd_lpd_t cupsd_var_run_t (sock_file (read)))
(allow cupsd_lpd_t cupsd_var_run_t (sock_file (read)))Copy to Clipboard Copied! Toggle word wrap Toggle overflow The example solution is fixed permanently for {ProductShortName} in RHBA-2021:4420. Therefore, the parts of this procedure specific to this solution do not affect updated {ProductShortName} 8 and 9 systems, and are included only as examples of syntax.
You can use either of the two SELinux rule syntaxes, Common Intermediate Language (CIL) and m4. For example,
(allow cupsd_lpd_t cupsd_var_run_t (sock_file (read)))in CIL is equivalent to the following in m4:module local_cupslpd-read-cupssock 1.0; require { type cupsd_var_run_t; type cupsd_lpd_t; class sock_file read; } #============= cupsd_lpd_t ============== allow cupsd_lpd_t cupsd_var_run_t:sock_file read;module local_cupslpd-read-cupssock 1.0; require { type cupsd_var_run_t; type cupsd_lpd_t; class sock_file read; } #============= cupsd_lpd_t ============== allow cupsd_lpd_t cupsd_var_run_t:sock_file read;Copy to Clipboard Copied! Toggle word wrap Toggle overflow
- Save and close the file.
Install the policy module:
semodule -i <local_module>.cil
# semodule -i <local_module>.cilCopy to Clipboard Copied! Toggle word wrap Toggle overflow If you want to remove a local policy module you created by using
semodule -i, refer to the module name without the.cilsuffix. To remove a local policy module, usesemodule -r <local_module>.Restart any services related to the rules:
systemctl restart <service_name>
# systemctl restart <service_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
List the local modules installed in your SELinux policy:
semodule -lfull | grep "local_" 400 local_module cil
# semodule -lfull | grep "local_" 400 local_module cilCopy to Clipboard Copied! Toggle word wrap Toggle overflow Because local modules have priority
400, you can filter them from the list also by using that value, for example, by using thesemodule -lfull | grep -v ^100command.Search the SELinux policy for the relevant allow rules:
sesearch -A --source=<SOURCENAME> --target=<TARGETNAME> --class=<CLASSNAME> --perm=<P1>,<P2>
# sesearch -A --source=<SOURCENAME> --target=<TARGETNAME> --class=<CLASSNAME> --perm=<P1>,<P2>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Where
<SOURCENAME>is the source SELinux type,<TARGETNAME>is the target SELinux type,<CLASSNAME>is the security class or object class name, and<P1>and<P2>are the specific permissions of the rule.For example, to resolve SELinux denies cups-lpd read access to cups.sock in RHEL:
sesearch -A --source=cupsd_lpd_t --target=cupsd_var_run_t --class=sock_file --perm=read allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open read write };# sesearch -A --source=cupsd_lpd_t --target=cupsd_var_run_t --class=sock_file --perm=read allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open read write };Copy to Clipboard Copied! Toggle word wrap Toggle overflow The last line should now include the
readoperation.Verify that the relevant service runs confined by SELinux:
Identify the process related to the relevant service:
systemctl status <service_name>
$ systemctl status <service_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Check the SELinux context of the process listed in the output of the previous command:
ps -efZ | grep <process_name>
$ ps -efZ | grep <process_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verify that the service does not cause any SELinux denials:
ausearch -m AVC -i -ts recent <no matches>
# ausearch -m AVC -i -ts recent <no matches>Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
-ioption interprets the numeric values into human-readable text.
5.5. SELinux denials in the Audit log
Interpret SELinux denial messages recorded by the Linux Audit system in the /var/log/audit/audit.log file. Understanding fields such as source context and target context is essential for resolving policy errors.
The Linux Audit system stores log entries in the /var/log/audit/audit.log file by default. To list only SELinux-related records, use the ausearch command with the message type parameter set to AVC and AVC_USER at a minimum, for example:
ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERRAn SELinux denial entry in the Audit log file can look as follows:
type=AVC msg=audit(1395177286.929:1638): avc: denied { read } for pid=6591 comm="httpd" name="webpages" dev="0:37" ino=2112 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1395177286.929:1638): avc: denied { read } for pid=6591 comm="httpd" name="webpages" dev="0:37" ino=2112 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dirThe most important parts of this entry are:
-
avc: denied- the action performed by SELinux and recorded in Access Vector Cache (AVC) -
{ read }- the denied action -
pid=6591- the process identifier of the subject that tried to perform the denied action -
comm="httpd"- the name of the command that was used to call the analyzed process -
httpd_t- the SELinux type of the process -
nfs_t- the SELinux type of the object affected by the process action -
tclass=dir- the target object class
The previous log entry can be translated to:
SELinux denied the httpd process with PID 6591 and the httpd_t type to read from a directory with the nfs_t type.
The following SELinux denial message occurs when the Apache HTTP Server attempts to access a directory labeled with a type for the Samba suite:
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file-
{ getattr }- thegetattrentry indicates the source process was trying to read the target file’s status information. This occurs before reading files. SELinux denies this action because the process accesses the file and it does not have an appropriate label. Commonly seen permissions includegetattr,read, andwrite. -
path="/var/www/html/file1"- the path to the object (target) the process attempted to access. -
scontext="unconfined_u:system_r:httpd_t:s0"- the SELinux context of the process (source) that attempted the denied action. In this case, it is the SELinux context of the Apache HTTP Server, which is running with thehttpd_ttype. -
tcontext="unconfined_u:object_r:samba_share_t:s0"- the SELinux context of the object (target) the process attempted to access. In this case, it is the SELinux context offile1.
This SELinux denial can be translated to:
SELinux denied the httpd process with PID 2465 to access the /var/www/html/file1 file with the samba_share_t type, which is not accessible to processes running in the httpd_t domain unless configured otherwise.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}