execute_no_trans is a permission which allows for execution of a file without performing any transitions, executing it in the caller's domain instead. Adding that permission with a custom module should be ok. audit2allow is one way to generate that module.
I think I'd still go with the first option I offered and set the SELinux context for your script in your unit file.
>> SELinuxContext=
Set the SELinux security context of the executed process. If set, this will override the automated domain transition. However, the policy still needs to authorize the transition. This directive is ignored if SELinux is disabled. If prefixed by "-", all errors will be ignored. See setexeccon(3) for details.
On Mon, Jun 20, 2016 at 3:43 AM Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx> wrote:
2016-06-19 17:15 GMT+02:00 Jeremy Young <jrm16020@xxxxxxxxx>:
> The problem is that's your script is being executed with under the init_t
> type. You should be able to update your unit file to specify an appropriate
> SELinux context for your script.
>
> http://man7.org/linux/man-pages/man5/systemd.exec.5.html
>
> Under [Service], add something like this:
>
> SELinuxContext=system_u:system_r::s0-c0.c1023
>
>
>
> You may also be able to label your script httpd_exec_t and have it
> transition to the Apache domain so that it doesn't run as init_t when your
> system starts.
>
I'm trying to transition to the httpd_t domain, but after labeling the
script as httpd_exec_t, I get this AVC.
What does execute_no_trans mean?
Thank you.
SELinux is preventing (mon2.php) from execute_no_trans access on the
file /var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that (mon2.php) should be allowed execute_no_trans
access on the update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(mon2.php)' --raw | audit2allow -M my-mon2php
# semodule -X 300 -i my-mon2php.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:httpd_exec_t:s0
Target Objects /var/www/ttrss.miceliux.com/update_daemon2.php [
file ]
Source (mon2.php)
Source Path (mon2.php)
Port <Unknown>
Host argon
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name argon
Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count 30
First Seen 2016-06-20 10:06:58 CEST
Last Seen 2016-06-20 10:37:19 CEST
Local ID 93118537-004d-40f1-9603-bf0cded5dd34
Raw Audit Messages
type=AVC msg=audit(1466411839.205:13159): avc: denied {
execute_no_trans } for pid=16149 comm="(mon2.php)"
path="/var/www/ttrss.miceliux.com/update_daemon2.php" dev="dm-0"
ino=25403430 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=0
Hash: (mon2.php),init_t,httpd_exec_t,file,execute_no_trans
--
Juan Orti
https://apuntesderootblog.wordpress.com/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Jeremy Young
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
