Hi,
I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23). Now I am getting denials:
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { create } for pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
audit2allow gives me the following policy: #============= init_t ============== allow init_t su_exec_t:file getattr; allow init_t var_log_t:file create;
I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.
What other options do I have? Any recommendations?
Isaac
Hi Isaac,
Looks like your basic problem is that you're running the startup script in the init_t domain, but you should really be running it in the initrc_t domain (or some custom domain).
Assuming we're talking about the targeted policy, the initrc_t domain is unconfined, whereas init_t isn't.
Is your startup script labelled with an ..._initrc_exec_t type? This is assuming you're using SysV startup scripts and not systemd.
If you're using systemd service definitions to call your emby-server.sh script, then try labelling that script initrc_exec_t.
Cheers
Phil
From: Isaac Hailperin isaac.hailperin@googlemail.com To: selinux@lists.fedoraproject.org Date: 11/09/2016 23:20 Subject: emby-server on f24
Hi,
I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23). Now I am getting denials:
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { create } for pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
audit2allow gives me the following policy: #============= init_t ============== allow init_t su_exec_t:file getattr; allow init_t var_log_t:file create;
I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.
What other options do I have? Any recommendations?
Isaac -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Hi Philip,
thank you for your thoughts. Yes, I am running targeted policy.
This was the state of the startup script (called via systemd unit file):
ls -lZ /usr/lib/emby-server/emby-server.sh -rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 3516 Sep 10 2016 /usr/lib/emby-server/emby-server.sh
After changing the context chcon -t initrc_exec_t /usr/lib/emby-server/emby-server.sh
the service could start again. No need to create a new policy. I will need to make this permanent with with semanage fcontext, but I will figure that out.
Thank you very much for your help!
Isaac
On Mon, Sep 12, 2016 at 9:19 AM, Philip Seeley pseeley@au1.ibm.com wrote:
Hi Isaac,
Looks like your basic problem is that you're running the startup script in the init_t domain, but you should really be running it in the initrc_t domain (or some custom domain).
Assuming we're talking about the targeted policy, the initrc_t domain is unconfined, whereas init_t isn't.
Is your startup script labelled with an ..._initrc_exec_t type? This is assuming you're using SysV startup scripts and not systemd.
If you're using systemd service definitions to call your emby-server.sh script, then try labelling that script initrc_exec_t.
Cheers
Phil
[image: Inactive hide details for Isaac Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to run on f24 with selinu]Isaac Hailperin ---11/09/2016 23:20:03---Hi, I am trying to get emby-server to run on f24 with selinux in enforcing mode
From: Isaac Hailperin isaac.hailperin@googlemail.com To: selinux@lists.fedoraproject.org Date: 11/09/2016 23:20 Subject: emby-server on f24
Hi,
I am trying to get emby-server to run on f24 with selinux in enforcing mode (which was fine on f23). Now I am getting denials:
Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { create } for pid=796 comm="emby-server.sh" name="emby-server.log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0 Sep 11 14:32:40 sh01 audit[796]: AVC avc: denied { getattr } for pid=796 comm="emby-server.sh" path="/usr/bin/su" dev="dm-0" ino=1580514 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0
audit2allow gives me the following policy: #============= init_t ============== allow init_t su_exec_t:file getattr; allow init_t var_log_t:file create;
I am wondering what this implies. Just guessing, this would allow anything which is started at boot time to use "su" and create a log file in /var/log. I would not mind the latter, but the former seems a bit too broad from a security perspective.
What other options do I have? Any recommendations?
Isaac
selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists. fedoraproject.org
selinux@lists.fedoraproject.org
-
Isaac Hailperin -
Philip Seeley