Re: AVC denials for custom service after upgrading to F24

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The problem is that's your script is being executed with under the init_t type.  You should be able to update your unit file to specify an appropriate SELinux context for your script.

http://man7.org/linux/man-pages/man5/systemd.exec.5.html

Under [Service], add something like this:

SELinuxContext=system_u:system_r:httpd_sys_script_t:s0-c0.c1023



You may also be able to label your script httpd_exec_t and have it transition to the Apache domain so that it doesn't run as init_t when your system starts.


On Sun, Jun 19, 2016 at 6:52 AM Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx> wrote:
Hi,

After upgrading to F24, my custom service ttrss-update.service doesn't
start anymore. I think it was launched before as unconfined_t, but now
I get this AVC. Should I open a bug?

SELinux is preventing php from read access on the file
/var/www/ttrss.miceliux.com/update_daemon2.php.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that php should be allowed read access on the
update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php' --raw | audit2allow -M my-php
# semodule -X 300 -i my-php.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:httpd_sys_content_t:s0
Target Objects                /var/www/ttrss.miceliux.com/update_daemon2.php [
                              file ]
Source                        php
Source Path                   php
Port                          <Unknown>
Host                          argon
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
                              19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count                   35
First Seen                    2016-06-16 10:26:22 CEST
Last Seen                     2016-06-19 13:42:58 CEST
Local ID                      853772a0-7b0e-4f8d-a700-0e829fc401c6

Raw Audit Messages
type=AVC msg=audit(1466336578.797:5880): avc:  denied  { read } for
pid=7743 comm="php" name="update_daemon2.php" dev="dm-0" ino=25403430
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0


Hash: php,init_t,httpd_sys_content_t,file,read


This is the service unit:

# systemctl cat ttrss-update.service
# /etc/systemd/system/ttrss-update.service
[Unit]
Description=Tiny Tiny RSS Update daemon
After=network-online.target
After=mariadb.service
Wants=mariadb.service
Requires=network-online.target

[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/var/www/ttrss.miceliux.com
ExecStart=/usr/bin/php /var/www/ttrss.miceliux.com/update_daemon2.php
ProtectSystem=full
ProtectHome=true
Nice=19
StandardOutput=null
StandardError=journal
PrivateTmp=true
PrivateDevices=true
NoNewPrivileges=true
Restart=always

[Install]
WantedBy=multi-user.target


--
Juan Orti
https://apuntesderootblog.wordpress.com/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Jeremy Young
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux