[selinux] Re: Idiomatic solution for tiny systemd "services"?

Robin Lee Powell rlpowell at digitalkingdom.org
Tue Mar 3 07:34:38 UTC 2015 

On Mon, Feb 16, 2015 at 10:35:42AM -0800, Robin Lee Powell wrote:
> On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
> > On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
> > >On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
> > >>On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
> > >>>Hey all.  I have a tiny web service that I'm running with a ruby
> > >>>script in ~/.rvm/ , and I'd like to run it out of systemd (just
> > >>>to keep it running always), but init_t can't read or execute
> > >>>user_home_t.
> > >>>
> > >>>Nor can init_t run runcon.
> > >>>
> > >>>Basically, I can't figure out any way to transition from
> > >>>systemd's init_t to my user's type (staff_t).
> > >>>
> > >>>So what's the idiomatic way to handle that sort of thing?
> > >>>
> > >>init_t should be transitioning to a context that can read content
> > >>in the users homedir.  What is the label on the ruby script?
> > >user_home_t; I had no idea what to try.
> > >
> > >>Which policy are you using?
> > >Whatever comes with F20.
> > >
> > >>Do you have unconfined.pp disabled?
> > >Yes.
> > >
> > >>Also do you have the actual avcs you are seeing?
> > >Uh, not anymore I'm afraid; I had to find a workaround and move on.
> > >I can regenerate them if it's important?
> > >
> > How does your unit file look for this service?
> 
> I tried several versions; here's the last of them:
> 
> [Unit]
> Description=Converts Google Docs files to Archive Of Our Own's input format
> 
> [Service]
> ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0 at sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
> Restart=always
> User=rlpowell
> Group=rlpowell
> 
> [Install]
> WantedBy=multi-user.target
> 
> A wide variety of AVCs were caused as I played around with various
> options, but it was the execute ones that caused me the most
> trouble; here's some example:
> 
> type=AVC msg=audit(1423701682.841:7262587): avc:  denied  { execute_no_trans } for  pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0 at sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423701682.844:7262593): avc:  denied  { execute } for  pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423701682.844:7262594): avc:  denied  { execute_no_trans } for  pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423701992.343:7262805): avc:  denied  { execute } for  pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423702215.494:7263051): avc:  denied  { execute } for  pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute } for  pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute_no_trans } for  pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0 at sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423703784.824:7264171): avc:  denied  { execute } for  pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423703784.824:7264172): avc:  denied  { execute_no_trans } for  pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423703851.301:7264239): avc:  denied  { execute } for  pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> type=AVC msg=audit(1423704154.718:7264336): avc:  denied  { execute } for  pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
> 
> Once I had those solved, I hit the problem that this script listens
> on a high port.  Now, I have things configured so that staff_t can
> do that, but this wouldn't run as staff_t, so I gave up and used the
> ruby "daemons" gem instead.

And now I'm trying to get parsoid running; same sort of situation.

Here's the AVCs so far:

type=AVC msg=audit(03/02/2015 23:30:11.565:327341) : avc:  denied  { execmem } for  pid=5114 comm=node scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { open } for  pid=5114 comm=node path=/srv/parsoid/api/server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { read } for  pid=5114 comm=node name=server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:12.783:327350) : avc:  denied  { name_bind } for  pid=5114 comm=node src=9999 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(03/02/2015 23:30:31.592:327354) : avc:  denied  { setrlimit } for  pid=5133 comm=sh scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

and here's the service file:

[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target

[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/srv/parsoid
EnvironmentFile=-/etc/parsoid/parsoid.env
ExecStart=/usr/bin/node /srv/parsoid/api/server.js
KillMode=process
Restart=on-success
PrivateTmp=true
StandardOutput=syslog

- ------

It doesn't have to be user Apache.

Any hints?

Is there a more active place I could be asking this question?

More information about the selinux mailing list