On Tue, 2024-09-10 at 11:55 -0500, Thomas Cameron wrote:
> On 9/10/24 5:30 AM, Patrick O'Callaghan wrote:
> > I have a cron line that attempts to restart httpd every morning, but
> > it's failing with an AVC error:
> >
> > Sep 10 08:00:00 Bree CROND[723189]: (root) CMD ((echo "$(date): Apache: calling restart") >> /var/log/httpd/my-log && /usr/sbin/apachectl restart)
> > Sep 10 08:00:00 Bree systemd[1]: selinux: avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/httpd.service" cmdline="" function="bus_unit_method_start_generic" scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_unit_file_t:s0 tclass=service permissive=0
> >
> > My SElinux-fu is not up to this. Any thoughts?
>
> Patrick -
>
> I did a presentation at Red Hat Summit on SELinux a few years ago. If
> you're willing to spend about 45 minutes, you can learn some tools to
> figure out why it's throwing that error and how to fix or report it.
>
> https://www.youtube.com/watch?v=_WOKRaM-HI4
Thanks. I had seen that video some time ago but took another look. A
couple of points:
There are no setroubleshoot lines in the journal, just the line I
quoted. setroubleshootd is installed and running. auditd is installed
but not running:
$ systemctl status auditd
○ auditd.service - Security Audit Logging Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: inactive (dead)
Condition: start condition unmet at Wed 2024-09-11 11:51:08 BST; 10min ago
└─ ConditionKernelCommandLine=!audit=0 was not met
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Sep 11 11:51:08 Bree systemd[1]: auditd.service - Security Audit Logging Service was skipped because of an unmet condition check (ConditionKernelCommandLine=!audit=0).
Does this really mean I have to modify the boot line to get auditd to
run? The video doesn't mention this as far as I know.
*HOWEVER*
Turns out I don't need any of this. If I substitute my original crontab
line for one that simply calls a Shell script which in turn calls
apachectl, then it all works with no AVC.
How does this make sense? It seems highly counterintuitive.
poc
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
