Re: emby-server on f24

"Philip Seeley" <pseeley@xxxxxxxxxxx> · Mon, 12 Sep 2016 18:19:21 +1100

Hi Isaac,

Looks like your basic problem is that you're running the startup script in the init_t domain, but you should really be running it in the initrc_t domain (or some custom domain).

Assuming we're talking about the targeted policy, the initrc_t domain is unconfined, whereas init_t isn't.

Is your startup script labelled with an ..._initrc_exec_t type? This is assuming you're using SysV startup scripts and not systemd.

If you're using systemd service definitions to call your emby-server.sh script, then try labelling that script initrc_exec_t.

Cheers

Phil

Isaac Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to run on f24 with selinux in enforcing mode

From:        Isaac Hailperin <isaac.hailperin@xxxxxxxxxxxxxx>
To:        selinux@xxxxxxxxxxxxxxxxxxxxxxx
Date:        11/09/2016 23:20
Subject:        emby-server on f24

Hi,

I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23).
Now I am getting denials:

Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { create } for  pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { getattr } for  pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { getattr } for  pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0

audit2allow gives me the following policy:
#============= init_t ==============
allow init_t su_exec_t:file getattr;
allow init_t var_log_t:file create;

I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.

What other options do I have? Any recommendations?

Isaac
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx