I just want to run this script:
#!/bin/sh
date | mail -s "Reboot: $HOST" notify
At boot. I have this unit file:
[Unit]
Description=Run boot-time things
After=network-online.target
[Service]
ExecStart=/usr/local/bin/notify-reboot
Type=oneshot
[Install]
WantedBy=multi-user.target
Now, when I start the unit manually the email goes through. When
started at boot, nothing happens. No AVCs are logged, nothing. I
thought systemd wasn't starting it or it was starting before the network
or something, but that's just not the case. If I stick setenforce 0 in
the script then everything works as expected.
I have verified that the unit is running as unconfined_service_t, but
that doesn't actually seem to be unconfined. I must be missing
something, but I'm not sure what it is. Can you actually have a truly
unconfined systemd unit? How might I run something at boot which I
really do want to be able to do anything at all to the system?
Digging deeper, obviously the real denial is set as dontaudit. I did
semodule -db and I do see a bunch of postfix-related things. Including
this:
type=AVC msg=audit(1488940201.691:492): avc: denied { read write } for
pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809
scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
permissive=0
There are actually all sorts of postfix and sendmail related denials
over a couple of boots as I've tried to work this out:
type=AVC msg=audit(1488939995.980:342): avc: denied { rlimitinh } for pid=16564 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=1
type=AVC msg=audit(1488939995.980:343): avc: denied { noatsecure } for pid=16564 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=1
type=AVC msg=audit(1488940104.809:299): avc: denied { rlimitinh } for pid=858 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940104.809:300): avc: denied { noatsecure } for pid=858 comm="postfix" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postfix_master_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:334): avc: denied { rlimitinh } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:335): avc: denied { siginh } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:336): avc: denied { rlimitinh } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:337): avc: denied { siginh } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.006:338): avc: denied { noatsecure } for pid=972 comm="pickup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_pickup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940105.007:339): avc: denied { noatsecure } for pid=973 comm="qmgr" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_qmgr_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.691:493): avc: denied { read write } for pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
type=AVC msg=audit(1488940201.701:494): avc: denied { rlimitinh } for pid=2273 comm="postdrop" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1488940201.701:495): avc: denied { siginh } for pid=2273 comm="postdrop" scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:postfix_postdrop_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1488940201.709:496): avc: denied { rlimitinh } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.709:497): avc: denied { siginh } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.710:498): avc: denied { noatsecure } for pid=2274 comm="cleanup" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_cleanup_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:499): avc: denied { rlimitinh } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:500): avc: denied { siginh } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.727:501): avc: denied { noatsecure } for pid=2276 comm="smtp" scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:system_r:postfix_smtp_t:s0 tclass=process permissive=0
type=AVC msg=audit(1488940201.691:492): avc: denied { read write } for pid=2272 comm="sendmail" path="socket:[24809]" dev="sockfs" ino=24809 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
- J<
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
