On 1/30/19 4:21 PM, Ian Pilcher wrote:
Does $SUBJECT ever work?
I am trying to figure out why a script is failing when run by
certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
any executable is giving me a denial.
$ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
runcon: ‘/bin/true’: Permission denied
type=AVC msg=audit(1548883146.502:300): avc: denied { entrypoint } for
pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Am I doing something wrong?
A key aspect of type enforcement is ensuring that a given domain can
only be entered via an approved executable and can only execute
authorized code. Hence, the entrypoint check. This means that if you
want to experiment with running some other program in a domain, you must
do one of the following:
1) Label the file in question with the authorized type, e.g.
cp /bin/true .
chcon -t certmonger_exec_t true
runcon system_u:system_r:certmonger_t:s0 ./true
2) Create and insert a local policy module allowing entrypoint to the
type of the file,
-or-
3) Make the domain permissive or set the global enforcing mode to
permissive.
You may also encounter other denials related to the transition since
normally certmonger wouldn't be started this way.
