The problem is that's your script is being executed with under the init_t type. You should be able to update your unit file to specify an appropriate SELinux context for your script.
Under [Service], add something like this:
SELinuxContext=system_u:system_r:httpd_sys_script_t:s0-c0.c1023
You may also be able to label your script httpd_exec_t and have it transition to the Apache domain so that it doesn't run as init_t when your system starts.
On Sun, Jun 19, 2016 at 6:52 AM Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx> wrote:
Hi,
After upgrading to F24, my custom service ttrss-update.service doesn't
start anymore. I think it was launched before as unconfined_t, but now
I get this AVC. Should I open a bug?
SELinux is preventing php from read access on the file
/var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that php should be allowed read access on the
update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php' --raw | audit2allow -M my-php
# semodule -X 300 -i my-php.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:httpd_sys_content_t:s0
Target Objects /var/www/ttrss.miceliux.com/update_daemon2.php [
file ]
Source php
Source Path php
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count 35
First Seen 2016-06-16 10:26:22 CEST
Last Seen 2016-06-19 13:42:58 CEST
Local ID 853772a0-7b0e-4f8d-a700-0e829fc401c6
Raw Audit Messages
type=AVC msg=audit(1466336578.797:5880): avc: denied { read } for
pid=7743 comm="php" name="update_daemon2.php" dev="dm-0" ino=25403430
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=0
Hash: php,init_t,httpd_sys_content_t,file,read
This is the service unit:
# systemctl cat ttrss-update.service
# /etc/systemd/system/ttrss-update.service
[Unit]
Description=Tiny Tiny RSS Update daemon
After=network-online.target
After=mariadb.service
Wants=mariadb.service
Requires=network-online.target
[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/var/www/ttrss.miceliux.com
ExecStart=/usr/bin/php /var/www/ttrss.miceliux.com/update_daemon2.php
ProtectSystem=full
ProtectHome=true
Nice=19
StandardOutput=null
StandardError=journal
PrivateTmp=true
PrivateDevices=true
NoNewPrivileges=true
Restart=always
[Install]
WantedBy=multi-user.target
--
Juan Orti
https://apuntesderootblog.wordpress.com/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Jeremy Young
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
