I've run into another issue while developing a policy for my service.
It needs to run systemctl (via sudo), and I hit this denial:
type=AVC msg=audit(1570051321.409:1773): avc: denied { getattr } for
pid=3682 comm="sudo" path="/usr/bin/systemctl" dev="dm-0" ino=12586503
scontext=system_u:system_r:denatc_sudo_t:s0
tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
permissive=0
I would have expected this to be simple. Add the following to my
policy:
require {
type systemctl_exec_t;
}
allow denatc_sudo_t systemctl_exec_t:file { getattr };
I am able to build a policy module (.pp file), but I am unable to load
it:
Failed to resolve typeattributeset statement at
/etc/selinux/targeted/tmp/modules/400/denatc/cil:16
semodule: Failed!
After figuring out how to generate the .cil file, I've determined that
line 16 is:
(typeattributeset cil_gen_require systemctl_exec_t)
This is obviously a showstopper, and Google isn't finding anything
useful.
--
========================================================================
Ian Pilcher arequipeno@xxxxxxxxx
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
