Hi Philip,
thank you for your thoughts. Yes, I am running targeted policy.
This was the state of the startup script (called via systemd unit file):
ls -lZ /usr/lib/emby-server/emby-server.sh
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 3516 Sep 10 2016
/usr/lib/emby-server/emby-server.sh
After changing the context
chcon -t initrc_exec_t /usr/lib/emby-server/emby-server.sh
the service could start again. No need to create a new policy. I will need
to make this permanent with with semanage fcontext, but I will figure that
out.
Thank you very much for your help!
Isaac
On Mon, Sep 12, 2016 at 9:19 AM, Philip Seeley <pseeley(a)au1.ibm.com> wrote:
Hi Isaac,
Looks like your basic problem is that you're running the startup script in
the init_t domain, but you should really be running it in the initrc_t
domain (or some custom domain).
Assuming we're talking about the targeted policy, the initrc_t domain is
unconfined, whereas init_t isn't.
Is your startup script labelled with an ..._initrc_exec_t type? This is
assuming you're using SysV startup scripts and not systemd.
If you're using systemd service definitions to call your emby-server.sh
script, then try labelling that script initrc_exec_t.
Cheers
Phil
[image: Inactive hide details for Isaac Hailperin ---11/09/2016
23:20:03---Hi, I am trying to get emby-server to run on f24 with selinu]Isaac
Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to
run on f24 with selinux in enforcing mode
From: Isaac Hailperin <isaac.hailperin(a)googlemail.com>
To: selinux(a)lists.fedoraproject.org
Date: 11/09/2016 23:20
Subject: emby-server on f24
------------------------------
Hi,
I am trying to get emby-server to run on f24 with selinux in enforcing
mode (which was fine on f23).
Now I am getting denials:
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { create } for pid=796
comm="emby-server.sh" name="emby-server.log"
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for
pid=796 comm="emby-server.sh" path="/usr/bin/su"
dev="dm-0" ino=1580514
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file permissive=0
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for
pid=796 comm="emby-server.sh" path="/usr/bin/su"
dev="dm-0" ino=1580514
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0
tclass=file permissive=0
audit2allow gives me the following policy:
#============= init_t ==============
allow init_t su_exec_t:file getattr;
allow init_t var_log_t:file create;
I am wondering what this implies. Just guessing, this would allow anything
which is started at boot time to use "su" and create a log file in
/var/log. I would not mind the latter, but the former seems a bit too broad
from a security perspective.
What other options do I have? Any recommendations?
Isaac
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.
fedoraproject.org
--
Isaac Hailperin
Sonnhalde 12
79677 Schönau im Schwarzwald