2017-06-30 14:23 GMT+02:00 Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx>:
2017-06-30 12:42 GMT+02:00 Lukas Vrabec <lvrabec@xxxxxxxxxx>:On 06/28/2017 09:36 AM, Thomas Mueller wrote:
Hey Juan
I'm troubleshooting the radicale policy but I cannot figure why the service fails to transition to radicale_t. It runs in the init_t domain.
How you starting this service?
systemctl start radicale.service
I cannot find where is the problem, I see other daemons are also using init_daemon_domain. Why mine is it not transitioning?
I guess this should be enough:
type radicale_t;
type radicale_exec_t;
init_daemon_domain(radicale_t, radicale_exec_t)
But I get AVCs like these:
SELinux is preventing radicale from ioctl access on the file /usr/bin/radicale.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that radicale should be allowed ioctl access on the radicale file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:radicale_exec_t:s0
Target Objects /usr/bin/radicale [ file ]
Source radicale
Source Path radicale
Port <Unknown>
Host xenon
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xenon
Platform Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count 39
First Seen 2017-06-27 19:39:30 CEST
Last Seen 2017-06-30 15:49:43 CEST
Local ID a3b3d3eb-d7ba-4e1f-a1eb-c46409986dfb
Raw Audit Messages
type=AVC msg=audit(1498830583.883:418): avc: denied { ioctl } for pid=11577 comm="radicale" path="/usr/bin/radicale" dev="dm-0" ino=1973935 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_exec_t:s0 tclass=file permissive=0
Hash: radicale,init_t,radicale_exec_t,file,ioctl
------------------------------
SELinux is preventing radicale from read access on the file /etc/radicale/config.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that radicale should be allowed read access on the config file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:radicale_etc_t:s0
Target Objects /etc/radicale/config [ file ]
Source radicale
Source Path radicale
Port <Unknown>
Host xenon
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xenon
Platform Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count 10
First Seen 2017-06-27 19:39:30 CEST
Last Seen 2017-06-30 15:49:43 CEST
Local ID 77f4e686-55dc-49d3-a01c-a5c3caac9959
Raw Audit Messages
type=AVC msg=audit(1498830583.859:412): avc: denied { read } for pid=11577 comm="radicale" name="config" dev="dm-0" ino=1201229 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_etc_t:s0 tclass=file permissive=0
Hash: radicale,init_t,radicale_etc_t,file,read
SELinux is preventing radicale from ioctl access on the file /usr/bin/radicale.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that radicale should be allowed ioctl access on the radicale file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:radicale_exec_t:s0
Target Objects /usr/bin/radicale [ file ]
Source radicale
Source Path radicale
Port <Unknown>
Host xenon
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xenon
Platform Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count 39
First Seen 2017-06-27 19:39:30 CEST
Last Seen 2017-06-30 15:49:43 CEST
Local ID a3b3d3eb-d7ba-4e1f-a1eb-c46409986dfb
Raw Audit Messages
type=AVC msg=audit(1498830583.883:418): avc: denied { ioctl } for pid=11577 comm="radicale" path="/usr/bin/radicale" dev="dm-0" ino=1973935 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_exec_t:s0 tclass=file permissive=0
Hash: radicale,init_t,radicale_exec_t,file,ioctl
------------------------------
SELinux is preventing radicale from read access on the file /etc/radicale/config.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that radicale should be allowed read access on the config file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:radicale_etc_t:s0
Target Objects /etc/radicale/config [ file ]
Source radicale
Source Path radicale
Port <Unknown>
Host xenon
Source RPM Packages
Target RPM Packages
Policy RPM <Unknown>
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xenon
Platform Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count 10
First Seen 2017-06-27 19:39:30 CEST
Last Seen 2017-06-30 15:49:43 CEST
Local ID 77f4e686-55dc-49d3-a01c-a5c3caac9959
Raw Audit Messages
type=AVC msg=audit(1498830583.859:412): avc: denied { read } for pid=11577 comm="radicale" name="config" dev="dm-0" ino=1201229 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_etc_t:s0 tclass=file permissive=0
Hash: radicale,init_t,radicale_etc_t,file,read
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
