Dominick:
thanks, i had overlooked the advice on the unit file in your first email, but i went back to it and user enough it helped,but in the end had to give the python intepreter the exec_t label, since its called by the unit file (the .py file does not use shebang style so its not called directly) viz /path/to/python /path/to/app.py
policy_module(myapp, 1.0.0)
########################################
#
# Declarations
#
require {
# type init_t;
type systemd_unit_file_t ;
type urandom_device_t ;
type etc_runtime_t ;
type proc_t;
type bin_t;
type tmp_t;
type user_home_dir_t;
type user_home_t;
type net_conf_t;
type ldconfig_exec_t;
type mongod_port_t;
}
type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)
type myapp_unit_file_t;
systemd_unit_file(systemd_unit_file_t)
########################################
allow myapp_t self:fifo_file rw_fifo_file_perms;
allow myapp_t self:unix_stream_socket create_stream_socket_perms;
allow myapp_t self:process signal;
allow myapp_t etc_runtime_t:file { read getattr open ioctl execute};
allow myapp_t proc_t:file { read open};
allow myapp_t bin_t:dir write;
allow myapp_t proc_t:file getattr;
allow myapp_t tmp_t:dir {write add_name};
allow myapp_t tmp_t:file {write open create};
allow myapp_t user_home_dir_t:dir { search getattr read open write add_name};
allow myapp_t user_home_t:file { read open getattr ioctl create};
allow myapp_t user_home_t:dir { read open search getattr };
allow myapp_t ldconfig_exec_t:file {execute read open execute_no_trans};
allow myapp_t net_conf_t:file { read open getattr ioctl};
allow myapp_t mongod_port_t:tcp_socket name_connect;
allow myapp_t self:tcp_socket { create setopt connect getattr getopt write read bind append};
allow myapp_t self:udp_socket { create connect getattr getopt setopt write read bind append};
allow myapp_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };
domain_use_interactive_fds(myapp_t)
#files_read_etc_files(myapp_t)
#miscfiles_read_localization(myapp_t)
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow myapp_t urandom_device_t:chr_file {read open};
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/motor/__init__.py", line 809, in open_sync
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: raise outcome['error']
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/motor/__init__.py", line 725, in _connect
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: self.delegate = self.__delegate_class__(*args, **kwargs)
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: File "/appcl/penv/lib/python3.3/site-packages/pymongo/mongo_client.py", line 336, in __init__
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: raise ConnectionFailure(str(e))
Jan 18 07:39:48 bookworm.saltminon01 myapp[19476]: pymongo.errors.ConnectionFailure: [Errno 13] Permission denied
allow latexapi_t self:tcp_socket { create setopt connect getattr getopt write read bind append};
allow latexapi_t self:udp_socket { create connect getattr getopt setopt write read bind append};
allow latexapi_t self:netlink_route_socket { create bind getattr write nlmsg_read nlmsg_write read setattr lock getopt setopt append };
regards
On Sun, Jan 19, 2014 at 6:56 PM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote:
On Sun, 2014-01-19 at 09:19 +0300, jiun bookworm wrote:Make sure that the "daemon entry file" is labeled myapp_exec_t
> Thanks for that,
>
> infortunately im still not there yet,
>
> now the application runs in initrc_t (it was remaining in init_t)
>
> this is how the policy looks like (from your and bigons advice):
so for example if the unit file has execstart=/usr/sbin/bla (or
whatever)
then: chcon -t myapp_exec_t /usr/sbin/bla
The transition happens on the daemon entry file so that must be labeled
accordingly (myapp_exec_t)
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
