Re: runcon Invalid argument

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/13/2012 10:39 AM, Moray Henderson (ICT) wrote:
> I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_ 
> useful to be able to execute commands in context httpd_t while trying out 
> combinations of the nfs_export_all_rw Boolean and public_content_rw_t
> type.
> 
> If I can do
> 
> [root@kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash 
> [root@kojihub ~]# exit
> 
> why can't I do
> 
> [root@kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash runcon:
> invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid argument
> 
Because httpd_t is not allowed to run as the unconfined_r and bash is not an
entrypoint for the httpd_t domain.

You can write policy for this, but basically

SELinux expects the transitions to work like

unconfined_t @initrc_exec_t -> initrc_t @ httpd_exec_t -> httpd_t

You can do

runcon -t initrc_t -r system_r id -Z
staff_u:system_r:initrc_t:s0-s0:c0.c1023

But sadly

runcon -t initrc_t -r system_r runcon -t httpd_t id -Z
runcon: invalid context: staff_u:system_r:httpd_t:s0-s0:c0.c1023: Permission
denied

Still fails because of you are missing these rules

#============= httpd_t ==============
allow httpd_t bin_t:file entrypoint;

#============= initrc_t ==============
allow initrc_t self:process setexec;

You can do the following

# cat /usr/bin/httpd.sh
#!/bin/sh
id -Z
chmod +x /usr/bin/httpd.sh
# chcon -t httpd_exec_t /usr/bin/httpd.sh
# runcon -t initrc_t -r system_r sh -c /bin/httpd.sh
# staff_u:system_r:httpd_t:s0-s0:c0.c1023




> The actual issue is that I've set up a new koji hub with /mnt/koji on an
> nfs mount; with SELinux in permissive mode I get
> 
> AVC Report ======================================================== # date
> time comm subj syscall class permission obj event 
> ======================================================== 1. 04/13/2012
> 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr 
> system_u:object_r:nfs_t:s0 denied 494 2. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0
> denied 493 3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83
> dir write system_u:object_r:nfs_t:s0 denied 495 4. 04/13/2012 14:23:36
> httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name
> system_u:object_r:nfs_t:s0 denied 495 5. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 83 dir create 
> unconfined_u:object_r:nfs_t:s0 denied 495 6. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 2 file create 
> unconfined_u:object_r:nfs_t:s0 denied 496 7. 04/13/2012 14:23:36 httpd
> unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0
> denied 496
> 
> 
> Moray. "To err is human; to purr, feline."
> 
> 
> 
> 
> OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3
> 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412
> (England and Wales)
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux