Hi,
I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23).
Now I am getting denials:
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { create } for pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
audit2allow gives me the following policy:
#============= init_t ==============
allow init_t su_exec_t:file getattr;
allow init_t var_log_t:file create;
I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.
What other options do I have? Any recommendations?
Isaac
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
