Fwd: AVC denials for custom service after upgrading to F24

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

2016-06-19 17:15 GMT+02:00 Jeremy Young <jrm16020@xxxxxxxxx>:
> The problem is that's your script is being executed with under the init_t
> type.  You should be able to update your unit file to specify an appropriate
> SELinux context for your script.
>
> http://man7.org/linux/man-pages/man5/systemd.exec.5.html
>
> Under [Service], add something like this:
>
> SELinuxContext=system_u:system_r::s0-c0.c1023
>
>
>
> You may also be able to label your script httpd_exec_t and have it
> transition to the Apache domain so that it doesn't run as init_t when your
> system starts.
>

I'm trying to transition to the httpd_t domain, but after labeling the
script as httpd_exec_t, I get this AVC.
What does execute_no_trans mean?

Thank you.


SELinux is preventing (mon2.php) from execute_no_trans access on the
file /var/www/ttrss.miceliux.com/update_daemon2.php.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (mon2.php) should be allowed execute_no_trans
access on the update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(mon2.php)' --raw | audit2allow -M my-mon2php
# semodule -X 300 -i my-mon2php.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:httpd_exec_t:s0
Target Objects                /var/www/ttrss.miceliux.com/update_daemon2.php [
                              file ]
Source                        (mon2.php)
Source Path                   (mon2.php)
Port                          <Unknown>
Host                          argon
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
                              19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count                   30
First Seen                    2016-06-20 10:06:58 CEST
Last Seen                     2016-06-20 10:37:19 CEST
Local ID                      93118537-004d-40f1-9603-bf0cded5dd34

Raw Audit Messages
type=AVC msg=audit(1466411839.205:13159): avc:  denied  {
execute_no_trans } for  pid=16149 comm="(mon2.php)"
path="/var/www/ttrss.miceliux.com/update_daemon2.php" dev="dm-0"
ino=25403430 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=0


Hash: (mon2.php),init_t,httpd_exec_t,file,execute_no_trans


--
Juan Orti
https://apuntesderootblog.wordpress.com/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux