new service blocked by selinux
I am running fedora32. I am trying to start a program as a service and run
it with a non-root user id (radmin).
I have created /home/radmin/bin/jungledisk.sh (which has permission ug=rwx)
I have create /etc/systemd/system/jungledisk.service
When I start the service with "sudo systemctl restart jungledisk.service" I
get error messages -- see below.
I have attempted to follow the instructions to create a local policy from
the log file by executing:
sudo ausearch -c '(edisk.sh)' --raw | sudo audit2allow -M my-edisksh
sudo semodule -X 300 -i my-edisksh.pp
however, the behaviour is the same after running this.
The jungledisk.service files is attempting to run jungledisk.sh as user
radmin, if that's relevant.
Advise appreciated.
the following in my /var/log/messages file:
May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed to
execute command: Permission denied
May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed at
step EXEC spawning /home/radmin/bin/jungledisk.sh: Permission denied
...
May 23 17:53:34 localhost setroubleshoot[613447]: SELinux is preventing
(edisk.sh) from execute_no_trans access on the file
/home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert
-l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
May 23 17:53:34 localhost python3[613447]: SELinux is preventing (edisk.sh)
from execute_no_trans access on the file
/home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100.
confidence) suggests **************************#012#012If you believe
that (edisk.sh) should be allowed execute_no_trans access on the
jungledisk.sh file by default.#012Then you should report this as a
bug.#012You can generate a local policy module to allow this
access.#012Do#012allow this access for now by executing:#012# ausearch -c
'(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i
my-edisksh.pp#012
May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received
policyload notice (seqno=3)
May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received
policyload notice (seqno=4)
May 23 17:53:34 localhost systemd[11047]: selinux: avc: received
policyload notice (seqno=3)
May 23 17:53:34 localhost systemd[11047]: selinux: avc: received
policyload notice (seqno=4)
May 23 17:53:34 localhost systemd[11047]: Started
dbus-:1.1-org.freedesktop.Notifications@14.service.
May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received
policyload notice (seqno=3)
May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received
policyload notice (seqno=4)
May 23 17:53:37 localhost setroubleshoot[613447]: SELinux is preventing
(edisk.sh) from execute_no_trans access on the file
/home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert
-l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
May 23 17:53:37 localhost python3[613447]: SELinux is preventing (edisk.sh)
from execute_no_trans access on the file
/home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100.
confidence) suggests **************************#012#012If you believe
that (edisk.sh) should be allowed execute_no_trans access on the
jungledisk.sh file by default.#012Then you should report this as a
bug.#012You can generate a local policy module to allow this
access.#012Do#012allow this access for now by executing:#012# ausearch -c
'(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i
my-edisksh.pp#012
Attachments:
- attachment.html (text/html — 3.7 KB)