Over the years, I've written several Python-based daemons for my home
network. I've also written SELinux policies for these daemons.
After a recent CentOS 7 update, which includes
selinux-policy-targeted-3.13.1-266.el7.noarch, these daemons are failing
to start:
type=AVC msg=audit(1588171416.424:157): avc: denied { execute } for
pid=3359 comm="denatc" path="/usr/bin/python2.7" dev="dm-0"
ino=12679476 scontext=system_u:system_r:denatc_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
For some reason, these policies worked in the past without including
specific permission to execute bin_t files (something that I'd prefer to
avoid, as it's awfully broad).
Does anyone have any idea what changed (i.e. why did this work before)?
Is there any way to make things work other than giving any Python-based
daemon permission to execute *any* bin_t file?
Thanks!
--
========================================================================
In Soviet Russia, Google searches you!
========================================================================
