Re: Cannot transition to radicale_t domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2017-06-30 14:23 GMT+02:00 Juan Orti Alcaine <j.orti.alcaine@xxxxxxxxx>:
2017-06-30 12:42 GMT+02:00 Lukas Vrabec <lvrabec@xxxxxxxxxx>:
On 06/28/2017 09:36 AM, Thomas Mueller wrote:
Hey Juan

I'm troubleshooting the radicale policy but I cannot figure why the service fails to transition to radicale_t. It runs in the init_t domain.


How you starting this service?


​​systemctl start radicale.service​​


​I cannot find where is the problem, I see other daemons are also using init_daemon_domain. Why mine is it not transitioning?

I guess this should be enough:

type radicale_t;
type radicale_exec_t;
init_daemon_domain(radicale_t, radicale_exec_t)
​But I get AVCs like these:

SELinux is preventing radicale from ioctl access on the file /usr/bin/radicale.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that radicale should be allowed ioctl access on the radicale file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:radicale_exec_t:s0
Target Objects                /usr/bin/radicale [ file ]
Source                        radicale
Source Path                   radicale
Port                          <Unknown>
Host                          xenon
Source RPM Packages
Target RPM Packages
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xenon
Platform                      Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
                              20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count                   39
First Seen                    2017-06-27 19:39:30 CEST
Last Seen                     2017-06-30 15:49:43 CEST
Local ID                      a3b3d3eb-d7ba-4e1f-a1eb-c46409986dfb

Raw Audit Messages
type=AVC msg=audit(1498830583.883:418): avc:  denied  { ioctl } for  pid=11577 comm="radicale" path="/usr/bin/radicale" dev="dm-0" ino=1973935 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_exec_t:s0 tclass=file permissive=0


Hash: radicale,init_t,radicale_exec_t,file,ioctl

------------------------------

SELinux is preventing radicale from read access on the file /etc/radicale/config.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that radicale should be allowed read access on the config file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'radicale' --raw | audit2allow -M my-radicale
# semodule -X 300 -i my-radicale.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:radicale_etc_t:s0
Target Objects                /etc/radicale/config [ file ]
Source                        radicale
Source Path                   radicale
Port                          <Unknown>
Host                          xenon
Source RPM Packages
Target RPM Packages
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xenon
Platform                      Linux xenon 4.11.6-301.fc26.x86_64 #1 SMP Tue Jun
                              20 16:17:33 UTC 2017 x86_64 x86_64
Alert Count                   10
First Seen                    2017-06-27 19:39:30 CEST
Last Seen                     2017-06-30 15:49:43 CEST
Local ID                      77f4e686-55dc-49d3-a01c-a5c3caac9959

Raw Audit Messages
type=AVC msg=audit(1498830583.859:412): avc:  denied  { read } for  pid=11577 comm="radicale" name="config" dev="dm-0" ino=1201229 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radicale_etc_t:s0 tclass=file permissive=0


Hash: radicale,init_t,radicale_etc_t,file,read



_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux