Re: emby-server on f24

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Philip,

thank you for your thoughts. Yes, I am running targeted policy.

This was the state of the startup script (called via systemd unit file):

ls -lZ /usr/lib/emby-server/emby-server.sh
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 3516 Sep 10  2016 /usr/lib/emby-server/emby-server.sh

After changing the context
chcon -t initrc_exec_t /usr/lib/emby-server/emby-server.sh

the service could start again. No need to create a new policy. I will need to make this permanent with with semanage fcontext, but I will figure that out.

Thank you very much for your help!

Isaac




On Mon, Sep 12, 2016 at 9:19 AM, Philip Seeley <pseeley@xxxxxxxxxxx> wrote:

Hi Isaac,

Looks like your basic problem is that you're running the startup script in the init_t domain, but you should really be running it in the initrc_t domain (or some custom domain).

Assuming we're talking about the targeted policy, the initrc_t domain is unconfined, whereas init_t isn't.

Is your startup script labelled with an ..._initrc_exec_t type? This is assuming you're using SysV startup scripts and not systemd.

If you're using systemd service definitions to call your emby-server.sh script, then try labelling that script initrc_exec_t.

Cheers

Phil


Inactive hide details for Isaac Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to run on f24 with selinuIsaac Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to run on f24 with selinux in enforcing mode

From: Isaac Hailperin <isaac.hailperin@googlemail.com>
To: selinux@lists.fedoraproject.org
Date: 11/09/2016 23:20
Subject: emby-server on f24




Hi,

I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23).
Now I am getting denials:

Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { create } for  pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { getattr } for  pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc:  denied  { getattr } for  pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0


audit2allow gives me the following policy:
#============= init_t ==============
allow init_t su_exec_t:file getattr;
allow init_t var_log_t:file create;

I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.

What other options do I have? Any recommendations?

Isaac
--
selinux mailing list
selinux@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org





--
Isaac Hailperin
Sonnhalde 12
79677 Schönau im Schwarzwald
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux