Hi David,
Thank you for following up. I believe I have worked around the issue for
now, although I am curious about using the user specific systemd unit.
I'll try googling that in the morning. I may bug you for more info after
that.
In the end it seems I was getting a series of similar but different errors
which I had to step through and permit one by one. There was probably a
better way. It first denied execute, then read open, execute_no_trans,
ioctl. So while I thought the first commands had done nothing, in fact,
each one had gotten my one step closer. When I realized the error had
changed from execute to read open I then noticed that I was making
progress. Since then I have found the files .pp and .te files in an odd
directory from which I happened to execute the commands. I am curious as
to if I still need these, or if they are just intermediaries.
Cheers,
Rod.
On Sun, 24 May 2020 at 00:23, David Sastre <d.sastre.medina(a)gmail.com>
wrote:
Hello Rod,
It would be interesting to see both the systemd unit and the complete AVC
message. You can retrieve the latter using:
# ausearch -m avc -ts recent
just after triggering the error.
Another thought: since you are using a script in a specific user's private
bin path, it might be better to use a user specific systemd unit as well.
Otherwise, use a system-wide path for the executable (I'd suggest
/usr/local/bin), and a system-wide unit (as you already do).
On Sun, May 24, 2020 at 3:37 AM Rod Davison <roddavison(a)gmail.com> wrote:
> I am running fedora32. I am trying to start a program as a service and
> run it with a non-root user id (radmin).
>
> I have created /home/radmin/bin/jungledisk.sh (which has permission
> ug=rwx)
> I have create /etc/systemd/system/jungledisk.service
>
> When I start the service with "sudo systemctl restart jungledisk.service"
> I get error messages -- see below.
>
> I have attempted to follow the instructions to create a local policy from
> the log file by executing:
>
> sudo ausearch -c '(edisk.sh)' --raw | sudo audit2allow -M my-edisksh
> sudo semodule -X 300 -i my-edisksh.pp
>
> however, the behaviour is the same after running this.
>
> The jungledisk.service files is attempting to run jungledisk.sh as user
> radmin, if that's relevant.
>
> Advise appreciated.
>
> the following in my /var/log/messages file:
>
> May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed to
> execute command: Permission denied
> May 23 17:53:32 localhost systemd[613445]: jungledisk.service: Failed at
> step EXEC spawning /home/radmin/bin/jungledisk.sh: Permission denied
> ...
> May 23 17:53:34 localhost setroubleshoot[613447]: SELinux is preventing
> (edisk.sh) from execute_no_trans access on the file
> /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert
> -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
> May 23 17:53:34 localhost python3[613447]: SELinux is preventing
> (edisk.sh) from execute_no_trans access on the file
> /home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100.
> confidence) suggests **************************#012#012If you believe
> that (edisk.sh) should be allowed execute_no_trans access on the
> jungledisk.sh file by default.#012Then you should report this as a
> bug.#012You can generate a local policy module to allow this
> access.#012Do#012allow this access for now by executing:#012# ausearch -c
> '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i
> my-edisksh.pp#012
> May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received
> policyload notice (seqno=3)
> May 23 17:53:34 localhost dbus-broker-launch[281848]: avc: received
> policyload notice (seqno=4)
> May 23 17:53:34 localhost systemd[11047]: selinux: avc: received
> policyload notice (seqno=3)
> May 23 17:53:34 localhost systemd[11047]: selinux: avc: received
> policyload notice (seqno=4)
> May 23 17:53:34 localhost systemd[11047]: Started
> dbus-:1.1-org.freedesktop.Notifications@14.service.
> May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received
> policyload notice (seqno=3)
> May 23 17:53:34 localhost at-spi-bus-launcher[294822]: avc: received
> policyload notice (seqno=4)
> May 23 17:53:37 localhost setroubleshoot[613447]: SELinux is preventing
> (edisk.sh) from execute_no_trans access on the file
> /home/radmin/bin/jungledisk.sh. For complete SELinux messages run: sealert
> -l 0b9955ca-66c6-4039-9999-2dd7d4ec0fc8
> May 23 17:53:37 localhost python3[613447]: SELinux is preventing
> (edisk.sh) from execute_no_trans access on the file
> /home/radmin/bin/jungledisk.sh.#012#012***** Plugin catchall (100.
> confidence) suggests **************************#012#012If you believe
> that (edisk.sh) should be allowed execute_no_trans access on the
> jungledisk.sh file by default.#012Then you should report this as a
> bug.#012You can generate a local policy module to allow this
> access.#012Do#012allow this access for now by executing:#012# ausearch -c
> '(edisk.sh)' --raw | audit2allow -M my-edisksh#012# semodule -X 300 -i
> my-edisksh.pp#012
>
> _______________________________________________
> selinux mailing list -- selinux(a)lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
>