Re: [selinux] Re: Idiomatic solution for tiny systemd "services"?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
> On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
> >On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
> >>On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
> >>>Hey all.  I have a tiny web service that I'm running with a ruby
> >>>script in ~/.rvm/ , and I'd like to run it out of systemd (just
> >>>to keep it running always), but init_t can't read or execute
> >>>user_home_t.
> >>>
> >>>Nor can init_t run runcon.
> >>>
> >>>Basically, I can't figure out any way to transition from
> >>>systemd's init_t to my user's type (staff_t).
> >>>
> >>>So what's the idiomatic way to handle that sort of thing?
> >>>
> >>init_t should be transitioning to a context that can read content
> >>in the users homedir.  What is the label on the ruby script?
> >user_home_t; I had no idea what to try.
> >
> >>Which policy are you using?
> >Whatever comes with F20.
> >
> >>Do you have unconfined.pp disabled?
> >Yes.
> >
> >>Also do you have the actual avcs you are seeing?
> >Uh, not anymore I'm afraid; I had to find a workaround and move on.
> >I can regenerate them if it's important?
> >
> How does your unit file look for this service?

I tried several versions; here's the last of them:

[Unit]
Description=Converts Google Docs files to Archive Of Our Own's input format

[Service]
ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0@sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
Restart=always
User=rlpowell
Group=rlpowell

[Install]
WantedBy=multi-user.target

A wide variety of AVCs were caused as I played around with various
options, but it was the execute ones that caused me the most
trouble; here's some example:

type=AVC msg=audit(1423701682.841:7262587): avc:  denied  { execute_no_trans } for  pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701682.844:7262593): avc:  denied  { execute } for  pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701682.844:7262594): avc:  denied  { execute_no_trans } for  pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701992.343:7262805): avc:  denied  { execute } for  pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423702215.494:7263051): avc:  denied  { execute } for  pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute } for  pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute_no_trans } for  pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.824:7264171): avc:  denied  { execute } for  pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.824:7264172): avc:  denied  { execute_no_trans } for  pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703851.301:7264239): avc:  denied  { execute } for  pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423704154.718:7264336): avc:  denied  { execute } for  pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file

Once I had those solved, I hit the problem that this script listens
on a high port.  Now, I have things configured so that staff_t can
do that, but this wouldn't run as staff_t, so I gave up and used the
ruby "daemons" gem instead.

-- 
http://intelligence.org/ :  Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i dafsku lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux