Re: new service blocked by selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Rod,

It would be interesting to see both the systemd unit and the complete AVC message. You can retrieve the latter using:

# ausearch -m avc -ts recent

just after triggering the error.

Another thought: since you are using a script in a specific user's private bin path, it might be better to use a user specific systemd unit as well.
Otherwise, use a system-wide path for the executable (I'd suggest /usr/local/bin), and a system-wide unit (as you already do).


On Sun, May 24, 2020 at 3:37 AM Rod Davison <roddavison@xxxxxxxxx> wrote:
I am running fedora32.  I am trying to start a program as a service and run it with a non-root user id (radmin).

I have created /home/radmin/bin/jungledisk.sh (which has permission ug=rwx)
I have create /etc/systemd/system/jungledisk.service

When I start the service with "sudo systemctl restart jungledisk.service" I get error messages -- see below.

I have attempted to follow the instructions to create a local policy from the log file by executing:

sudo ausearch -c '(edisk.sh)' --raw | sudo audit2allow -M my-edisksh
sudo semodule -X 300 -i my-edisksh.pp

however, the behaviour is the same after running this.

The jungledisk.service files is attempting to run jungledisk.sh as user radmin, if that's relevant.

Advise appreciated.

the following in my /var/log/messages file:

May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed to execute command: Permission denied
May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed at step EXEC spawning /home/radmin/bin/jungledisk.sh: Permission denied
...
May 23 17:53:34 localhost setroubleshoot[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
May 23 17:53:34 localhost python3[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that (edisk.sh) should be allowed execute_no_trans access on the jungledisk.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i my-edisksh.pp#012
May 23 17:53:34 localhost dbus-broker-launch[281848]: avc:  received policyload notice (seqno=3)
May 23 17:53:34 localhost dbus-broker-launch[281848]: avc:  received policyload notice (seqno=4)
May 23 17:53:34 localhost systemd[11047]: selinux: avc:  received policyload notice (seqno=3)
May 23 17:53:34 localhost systemd[11047]: selinux: avc:  received policyload notice (seqno=4)
May 23 17:53:34 localhost systemd[11047]: Started dbus-:1.1-org.freedesktop.Notifications@14.service.
May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc:  received policyload notice (seqno=3)
May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc:  received policyload notice (seqno=4)
May 23 17:53:37 localhost setroubleshoot[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
May 23 17:53:37 localhost python3[613447]: SELinux is preventing (edisk.sh) from execute_no_trans access on the file /home/radmin/bin/jungledisk.sh.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that (edisk.sh) should be allowed execute_no_trans access on the jungledisk.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i my-edisksh.pp#012

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux