On Wed, Apr 29, 2020 at 12:01 PM Ian Pilcher <arequipeno@xxxxxxxxx> wrote:
>
> Over the years, I've written several Python-based daemons for my home
> network. I've also written SELinux policies for these daemons.
>
> After a recent CentOS 7 update, which includes
> selinux-policy-targeted-3.13.1-266.el7.noarch, these daemons are failing
> to start:
>
> type=AVC msg=audit(1588171416.424:157): avc: denied { execute } for
> pid=3359 comm="denatc" path="/usr/bin/python2.7" dev="dm-0"
> ino=12679476 scontext=system_u:system_r:denatc_t:s0
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>
> For some reason, these policies worked in the past without including
> specific permission to execute bin_t files (something that I'd prefer to
> avoid, as it's awfully broad).
>
> Does anyone have any idea what changed (i.e. why did this work before)?
>
> Is there any way to make things work other than giving any Python-based
> daemon permission to execute *any* bin_t file?
Sounds similar to
https://lore.kernel.org/selinux/23A084A9-66A1-4E02-A766-F9214E63A628@xxxxxxxx/,
which may be due to a kernel change outside SELinux as per that thread.
It is logically correct since the new domain is executing from the interpreter.
Note that it cannot execve() arbitrary bin_t files without
execute_no_trans permission,
although it can open/mmap PROT_EXEC them with execute permission.
You can reduce the scope by defining and assigning a specific type to
/usr/bin/python2.7
but obviously that will have a rippling impact on the rest of the policy.
