On 2016-10-13 09:22, Mark Montague wrote:
I tried this as shown below, but the rule output by audit2allow is
already in the loaded policy:
[root@earth nodejs_webserver]# ausearch -m avc -su staff_t -ts recent
|grep transition |audit2allow
#============= staff_t ==============
allow staff_t nodejswebserver_t:process transition;
[root@earth nodejs_webserver]# sesearch -A -s staff_t -t
nodejswebserver_t -c process
Found 2 semantic av rules:
allow staff_t nodejswebserver_t : process { transition noatsecure
siginh rlimitinh } ;
allow staff_t domain : process { getsched getcap getattr } ;
[root@earth nodejs_webserver]#
I've found the solution:
The original file context for the executable was
system_u:object_r:nodejswebserver_exec_t:s0, and this was the source of
the problem. As soon as I changed the file context for the executable
to system_u:system_r:nodejswebserver_exec_t:s0 everything started working.
The problem was that when I tried various things before, the command
chcon system_u:system_r:nodejswebserver_exec_t:s0 /sw/sbin/node
gave the error "invalid context". So I incorrectly assumed that the
original context was correct and tried other solutions instead.
In order to get the chcon command to succeed, I had to add the following
rule to the local targeted policy:
role system_r types nodejswebserver_exec_t;
As soon as I added this rule and changed the file context the denial
went away. Although audit2allow said that the rule "allow staff_t
nodejswebserver_t:process transition;" is what was needed, this was not
accurate in this case since the suggested rule was already present via
the domtrans_pattern macro -- what was missing was changing the file
context role from object_r to system_r, which was enabled by the other
rule above.
Here is the final set of rules to allow transition from the confined
user domain staff_t to nodejswebserver_t:
role system_r types nodejswebserver_exec_t;
role_transition staff_r nodejswebserver_exec_t system_r;
domain_system_change_exemption(staff_t);
domtrans_pattern(staff_t, nodejswebserver_exec_t, nodejswebserver_t);
And here is a demonstration of the result:
[markmont@earth ~]$ id -Z
staff_u:staff_r:staff_t:s0
[markmont@earth ~]$ /sw/sbin/node
> require('child_process').execFileSync('id', ['-Z'], { stdio:
'inherit' } );
staff_u:system_r:nodejswebserver_t:s0
null
>
Many thanks for everyone's help on this!
--
Mark Montague
mark@xxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
