Re: [selinux] Re: Idiomatic solution for tiny systemd "services"?

[Miroslav Grepl <mgrepl@xxxxxxxxxx>]

On 03/03/2015 08:34 AM, Robin Lee Powell wrote:
> On Mon, Feb 16, 2015 at 10:35:42AM -0800, Robin Lee Powell wrote:
> > On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
> > > On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
> > > > On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
> > > > > On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
> > > > > > Hey all.  I have a tiny web service that I'm running with a ruby
> > > > > > script in ~/.rvm/ , and I'd like to run it out of systemd (just
> > > > > > to keep it running always), but init_t can't read or execute
> > > > > > user_home_t.
> > > > > >
> > > > > > Nor can init_t run runcon.
> > > > > >
> > > > > > Basically, I can't figure out any way to transition from
> > > > > > systemd's init_t to my user's type (staff_t).
> > > > > >
> > > > > > So what's the idiomatic way to handle that sort of thing?
> > > > > init_t should be transitioning to a context that can read content
> > > > > in the users homedir.  What is the label on the ruby script?
> > > > user_home_t; I had no idea what to try.
> > > >
> > > > > Which policy are you using?
> > > > Whatever comes with F20.
> > > >
> > > > > Do you have unconfined.pp disabled?
> > > > Yes.
> > > >
> > > > > Also do you have the actual avcs you are seeing?
> > > > Uh, not anymore I'm afraid; I had to find a workaround and move on.
> > > > I can regenerate them if it's important?
> > > How does your unit file look for this service?
> > I tried several versions; here's the last of them:
> >
> > [Unit]
> > Description=Converts Google Docs files to Archive Of Our Own's input format
> >
> > [Service]
> > ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0@sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
> > Restart=always
> > User=rlpowell
> > Group=rlpowell
> >
> > [Install]
> > WantedBy=multi-user.target
> >
> > A wide variety of AVCs were caused as I played around with various
> > options, but it was the execute ones that caused me the most
> > trouble; here's some example:
> >
> > type=AVC msg=audit(1423701682.841:7262587): avc:  denied  { execute_no_trans } for  pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423701682.844:7262593): avc:  denied  { execute } for  pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423701682.844:7262594): avc:  denied  { execute_no_trans } for  pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423701992.343:7262805): avc:  denied  { execute } for  pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423702215.494:7263051): avc:  denied  { execute } for  pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute } for  pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute_no_trans } for  pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423703784.824:7264171): avc:  denied  { execute } for  pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423703784.824:7264172): avc:  denied  { execute_no_trans } for  pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423703851.301:7264239): avc:  denied  { execute } for  pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> > type=AVC msg=audit(1423704154.718:7264336): avc:  denied  { execute } for  pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> >
> > Once I had those solved, I hit the problem that this script listens
> > on a high port.  Now, I have things configured so that staff_t can
> > do that, but this wouldn't run as staff_t, so I gave up and used the
> > ruby "daemons" gem instead.
> And now I'm trying to get parsoid running; same sort of situation.
>
> Here's the AVCs so far:
>
> type=AVC msg=audit(03/02/2015 23:30:11.565:327341) : avc:  denied  { execmem } for  pid=5114 comm=node scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
> type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { open } for  pid=5114 comm=node path=/srv/parsoid/api/server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
> type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { read } for  pid=5114 comm=node name=server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
> type=AVC msg=audit(03/02/2015 23:30:12.783:327350) : avc:  denied  { name_bind } for  pid=5114 comm=node src=9999 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(03/02/2015 23:30:31.592:327354) : avc:  denied  { setrlimit } for  pid=5133 comm=sh scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
>
> and here's the service file:
>
> [Unit]
> Description=Mediawiki Parsoid web service on node.js
> Documentation=http://www.mediawiki.org/wiki/Parsoid
> Wants=local-fs.target network.target
> After=local-fs.target network.target
>
> [Unit]
> Description=Mediawiki Parsoid web service on node.js
> Documentation=http://www.mediawiki.org/wiki/Parsoid
> Wants=local-fs.target network.target
> After=local-fs.target network.target
>
> [Install]
> WantedBy=multi-user.target
>
> [Service]
> Type=simple
> User=apache
> Group=apache
> WorkingDirectory=/srv/parsoid
> EnvironmentFile=-/etc/parsoid/parsoid.env
> ExecStart=/usr/bin/node /srv/parsoid/api/server.js
> KillMode=process
> Restart=on-success
> PrivateTmp=true
> StandardOutput=syslog
>
> - ------
>
> It doesn't have to be user Apache.
>
> Any hints?
>
> Is there a more active place I could be asking this question?
I apologize, I overlooked your mail.

So still the question is what a proper domain is for it. We could call

/usr/bin/node /srv/parsoid/api/server.js

from a helper script which could have a label -> httpd_exec_t?

ExecStart=/usr/bin/test_helper_script

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux