On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote: > On 02/15/2015 06:51 PM, Robin Lee Powell wrote: > >On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote: > >>On 02/11/2015 08:51 PM, Robin Lee Powell wrote: > >>>Hey all. I have a tiny web service that I'm running with a ruby > >>>script in ~/.rvm/ , and I'd like to run it out of systemd (just > >>>to keep it running always), but init_t can't read or execute > >>>user_home_t. > >>> > >>>Nor can init_t run runcon. > >>> > >>>Basically, I can't figure out any way to transition from > >>>systemd's init_t to my user's type (staff_t). > >>> > >>>So what's the idiomatic way to handle that sort of thing? > >>> > >>init_t should be transitioning to a context that can read content > >>in the users homedir. What is the label on the ruby script? > >user_home_t; I had no idea what to try. > > > >>Which policy are you using? > >Whatever comes with F20. > > > >>Do you have unconfined.pp disabled? > >Yes. > > > >>Also do you have the actual avcs you are seeing? > >Uh, not anymore I'm afraid; I had to find a workaround and move on. > >I can regenerate them if it's important? > > > How does your unit file look for this service? I tried several versions; here's the last of them: [Unit] Description=Converts Google Docs files to Archive Of Our Own's input format [Service] ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0@sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133 Restart=always User=rlpowell Group=rlpowell [Install] WantedBy=multi-user.target A wide variety of AVCs were caused as I played around with various options, but it was the execute ones that caused me the most trouble; here's some example: type=AVC msg=audit(1423701682.841:7262587): avc: denied { execute_no_trans } for pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423701682.844:7262593): avc: denied { execute } for pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423701682.844:7262594): avc: denied { execute_no_trans } for pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423701992.343:7262805): avc: denied { execute } for pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423702215.494:7263051): avc: denied { execute } for pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute } for pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute_no_trans } for pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423703784.824:7264171): avc: denied { execute } for pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423703784.824:7264172): avc: denied { execute_no_trans } for pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423703851.301:7264239): avc: denied { execute } for pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1423704154.718:7264336): avc: denied { execute } for pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file Once I had those solved, I hit the problem that this script listens on a high port. Now, I have things configured so that staff_t can do that, but this wouldn't run as staff_t, so I gave up and used the ruby "daemons" gem instead. -- http://intelligence.org/ : Our last, best hope for a fantastic future. .i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux