On 03/03/2015 08:34 AM, Robin Lee Powell wrote:
On Mon, Feb 16, 2015 at 10:35:42AM -0800, Robin Lee Powell wrote:
On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
Hey all. I have a tiny web service that I'm running with a ruby
script in ~/.rvm/ , and I'd like to run it out of systemd (just
to keep it running always), but init_t can't read or execute
user_home_t.
Nor can init_t run runcon.
Basically, I can't figure out any way to transition from
systemd's init_t to my user's type (staff_t).
So what's the idiomatic way to handle that sort of thing?
init_t should be transitioning to a context that can read content
in the users homedir. What is the label on the ruby script?
user_home_t; I had no idea what to try.
Which policy are you using?
Whatever comes with F20.
Do you have unconfined.pp disabled?
Yes.
Also do you have the actual avcs you are seeing?
Uh, not anymore I'm afraid; I had to find a workaround and move on.
I can regenerate them if it's important?
How does your unit file look for this service?
I tried several versions; here's the last of them:
[Unit]
Description=Converts Google Docs files to Archive Of Our Own's input format
[Service]
ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0@sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
Restart=always
User=rlpowell
Group=rlpowell
[Install]
WantedBy=multi-user.target
A wide variety of AVCs were caused as I played around with various
options, but it was the execute ones that caused me the most
trouble; here's some example:
type=AVC msg=audit(1423701682.841:7262587): avc: denied { execute_no_trans } for pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701682.844:7262593): avc: denied { execute } for pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701682.844:7262594): avc: denied { execute_no_trans } for pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701992.343:7262805): avc: denied { execute } for pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423702215.494:7263051): avc: denied { execute } for pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute } for pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute_no_trans } for pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.824:7264171): avc: denied { execute } for pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.824:7264172): avc: denied { execute_no_trans } for pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703851.301:7264239): avc: denied { execute } for pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423704154.718:7264336): avc: denied { execute } for pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
Once I had those solved, I hit the problem that this script listens
on a high port. Now, I have things configured so that staff_t can
do that, but this wouldn't run as staff_t, so I gave up and used the
ruby "daemons" gem instead.
And now I'm trying to get parsoid running; same sort of situation.
Here's the AVCs so far:
type=AVC msg=audit(03/02/2015 23:30:11.565:327341) : avc: denied { execmem } for pid=5114 comm=node scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc: denied { open } for pid=5114 comm=node path=/srv/parsoid/api/server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc: denied { read } for pid=5114 comm=node name=server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:12.783:327350) : avc: denied { name_bind } for pid=5114 comm=node src=9999 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(03/02/2015 23:30:31.592:327354) : avc: denied { setrlimit } for pid=5133 comm=sh scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
and here's the service file:
[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target
[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/srv/parsoid
EnvironmentFile=-/etc/parsoid/parsoid.env
ExecStart=/usr/bin/node /srv/parsoid/api/server.js
KillMode=process
Restart=on-success
PrivateTmp=true
StandardOutput=syslog
- ------
It doesn't have to be user Apache.
Any hints?
Is there a more active place I could be asking this question?
I apologize, I overlooked your mail.
So still the question is what a proper domain is for it. We could call
/usr/bin/node /srv/parsoid/api/server.js
from a helper script which could have a label -> httpd_exec_t?
ExecStart=/usr/bin/test_helper_script
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux