9:39 a.m.
On Fri, 2017-06-30 at 16:23 +0200, Juan Orti Alcaine wrote:
2017-06-30 14:23 GMT+02:00 Juan Orti Alcaine
<j.orti.alcaine(a)gmail.co
m>:
> 2017-06-30 12:42 GMT+02:00 Lukas Vrabec <lvrabec(a)redhat.com>:
> > On 06/28/2017 09:36 AM, Thomas Mueller wrote:
> > > Hey Juan
> > >
> > > > I'm troubleshooting the radicale policy but I cannot figure
> > > > why the service fails to transition to radicale_t. It runs in
> > > > the init_t domain.
> > > >
> > > >
> >
> > How you starting this service?
> >
>
> systemctl start radicale.service
>
>
I cannot find where is the problem, I see other daemons are also
using init_daemon_domain. Why mine is it not transitioning?
What's in your unit file? Certain systemd options can prevent SELinux
transitions or disable SELinux functionality (e.g. NoNewPrivileges,
ProtectKernelTunables).
>
> I guess this should be enough:
>
> type radicale_t;
> type radicale_exec_t;
> init_daemon_domain(radicale_t, radicale_exec_t)
>
> But I get AVCs like these:
>
> SELinux is preventing radicale from ioctl access on the file
> /usr/bin/radicale.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that radicale should be allowed ioctl access on the
> radicale file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'radicale' --raw | audit2allow -M my-radicale
> # semodule -X 300 -i my-radicale.pp
>
>
> Additional Information:
> Source Context system_u:system_r:init_t:s0
> Target Context system_u:object_r:radicale_exec_t:s0
> Target Objects /usr/bin/radicale [ file ]
> Source radicale
> Source Path radicale
> Port <Unknown>
> Host xenon
> Source RPM Packages
> Target RPM Packages
> Policy RPM <Unknown>
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name xenon
> Platform Linux xenon 4.11.6-301.fc26.x86_64 #1
> SMP Tue Jun
> 20 16:17:33 UTC 2017 x86_64 x86_64
> Alert Count 39
> First Seen 2017-06-27 19:39:30 CEST
> Last Seen 2017-06-30 15:49:43 CEST
> Local ID a3b3d3eb-d7ba-4e1f-a1eb-c46409986dfb
>
> Raw Audit Messages
> type=AVC msg=audit(1498830583.883:418): avc: denied { ioctl } for
> pid=11577 comm="radicale" path="/usr/bin/radicale"
dev="dm-0"
> ino=1973935 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:radicale_exec_t:s0 tclass=file
> permissive=0
>
>
> Hash: radicale,init_t,radicale_exec_t,file,ioctl
>
> ------------------------------
>
> SELinux is preventing radicale from read access on the file
> /etc/radicale/config.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that radicale should be allowed read access on the
> config file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'radicale' --raw | audit2allow -M my-radicale
> # semodule -X 300 -i my-radicale.pp
>
>
> Additional Information:
> Source Context system_u:system_r:init_t:s0
> Target Context system_u:object_r:radicale_etc_t:s0
> Target Objects /etc/radicale/config [ file ]
> Source radicale
> Source Path radicale
> Port <Unknown>
> Host xenon
> Source RPM Packages
> Target RPM Packages
> Policy RPM <Unknown>
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name xenon
> Platform Linux xenon 4.11.6-301.fc26.x86_64 #1
> SMP Tue Jun
> 20 16:17:33 UTC 2017 x86_64 x86_64
> Alert Count 10
> First Seen 2017-06-27 19:39:30 CEST
> Last Seen 2017-06-30 15:49:43 CEST
> Local ID 77f4e686-55dc-49d3-a01c-a5c3caac9959
>
> Raw Audit Messages
> type=AVC msg=audit(1498830583.859:412): avc: denied { read } for
> pid=11577 comm="radicale" name="config" dev="dm-0"
ino=1201229
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:radicale_etc_t:s0 tclass=file permissive=0
>
>
> Hash: radicale,init_t,radicale_etc_t,file,read
>
>
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org