Re: AVC denials for custom service after upgrading to F24

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



execute_no_trans is a permission which allows for execution of a file without performing any transitions, executing it in the caller's domain instead.  Adding that permission with a custom module should be ok.  audit2allow is one way to generate that module.

I think I'd still go with the first option I offered and set the SELinux context for your script in your unit file.  

>> SELinuxContext=

Set the SELinux security context of the executed process. If set, this will override the automated domain transition. However, the policy still needs to authorize the transition. This directive is ignored if SELinux is disabled. If prefixed by "-", all errors will be ignored. See setexeccon(3) for details.



On Mon, Jun 20, 2016 at 3:43 AM Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx> wrote:
2016-06-19 17:15 GMT+02:00 Jeremy Young <jrm16020@xxxxxxxxx>:
> The problem is that's your script is being executed with under the init_t
> type.  You should be able to update your unit file to specify an appropriate
> SELinux context for your script.
>
> http://man7.org/linux/man-pages/man5/systemd.exec.5.html
>
> Under [Service], add something like this:
>
> SELinuxContext=system_u:system_r::s0-c0.c1023
>
>
>
> You may also be able to label your script httpd_exec_t and have it
> transition to the Apache domain so that it doesn't run as init_t when your
> system starts.
>

I'm trying to transition to the httpd_t domain, but after labeling the
script as httpd_exec_t, I get this AVC.
What does execute_no_trans mean?

Thank you.


SELinux is preventing (mon2.php) from execute_no_trans access on the
file /var/www/ttrss.miceliux.com/update_daemon2.php.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that (mon2.php) should be allowed execute_no_trans
access on the update_daemon2.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(mon2.php)' --raw | audit2allow -M my-mon2php
# semodule -X 300 -i my-mon2php.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:httpd_exec_t:s0
Target Objects                /var/www/ttrss.miceliux.com/update_daemon2.php [
                              file ]
Source                        (mon2.php)
Source Path                   (mon2.php)
Port                          <Unknown>
Host                          argon
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-190.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     argon
Platform                      Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May
                              19 13:05:32 UTC 2016 x86_64 x86_64
Alert Count                   30
First Seen                    2016-06-20 10:06:58 CEST
Last Seen                     2016-06-20 10:37:19 CEST
Local ID                      93118537-004d-40f1-9603-bf0cded5dd34

Raw Audit Messages
type=AVC msg=audit(1466411839.205:13159): avc:  denied  {
execute_no_trans } for  pid=16149 comm="(mon2.php)"
path="/var/www/ttrss.miceliux.com/update_daemon2.php" dev="dm-0"
ino=25403430 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_exec_t:s0 tclass=file permissive=0


Hash: (mon2.php),init_t,httpd_exec_t,file,execute_no_trans


--
Juan Orti
https://apuntesderootblog.wordpress.com/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
--
Jeremy Young
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux