On Mon, Feb 16, 2015 at 10:35:42AM -0800, Robin Lee Powell wrote:
On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
> On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
> >On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
> >>On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
> >>>Hey all. I have a tiny web service that I'm running with a ruby
> >>>script in ~/.rvm/ , and I'd like to run it out of systemd (just
> >>>to keep it running always), but init_t can't read or execute
> >>>user_home_t.
> >>>
> >>>Nor can init_t run runcon.
> >>>
> >>>Basically, I can't figure out any way to transition from
> >>>systemd's init_t to my user's type (staff_t).
> >>>
> >>>So what's the idiomatic way to handle that sort of thing?
> >>>
> >>init_t should be transitioning to a context that can read content
> >>in the users homedir. What is the label on the ruby script?
> >user_home_t; I had no idea what to try.
> >
> >>Which policy are you using?
> >Whatever comes with F20.
> >
> >>Do you have unconfined.pp disabled?
> >Yes.
> >
> >>Also do you have the actual avcs you are seeing?
> >Uh, not anymore I'm afraid; I had to find a workaround and move on.
> >I can regenerate them if it's important?
> >
> How does your unit file look for this service?
I tried several versions; here's the last of them:
[Unit]
Description=Converts Google Docs files to Archive Of Our Own's input format
[Service]
ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0@sinatra/ruby
/home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
Restart=always
User=rlpowell
Group=rlpowell
[Install]
WantedBy=multi-user.target
A wide variety of AVCs were caused as I played around with various
options, but it was the execute ones that caused me the most
trouble; here's some example:
type=AVC msg=audit(1423701682.841:7262587): avc: denied { execute_no_trans } for
pid=2299 comm="(ruby)"
path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby"
dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701682.844:7262593): avc: denied { execute } for pid=2299
comm="bash" name="ruby" dev="vdd1" ino=1353559
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0
tclass=file
type=AVC msg=audit(1423701682.844:7262594): avc: denied { execute_no_trans } for
pid=2299 comm="bash"
path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1"
ino=1353559 scontext=system_u:system_r:initrc_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423701992.343:7262805): avc: denied { execute } for pid=2476
comm="runcon" name="ruby" dev="vdd1" ino=1577409
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0
tclass=file
type=AVC msg=audit(1423702215.494:7263051): avc: denied { execute } for pid=2646
comm="runcon" name="ruby" dev="vdd1" ino=1577409
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0
tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute } for pid=3456
comm="(ruby)" name="ruby" dev="vdd1" ino=1577409
scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.821:7264163): avc: denied { execute_no_trans } for
pid=3456 comm="(ruby)"
path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0@sinatra/wrappers/ruby"
dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703784.824:7264171): avc: denied { execute } for pid=3456
comm="bash" name="ruby" dev="vdd1" ino=1353559
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0
tclass=file
type=AVC msg=audit(1423703784.824:7264172): avc: denied { execute_no_trans } for
pid=3456 comm="bash"
path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1"
ino=1353559 scontext=system_u:system_r:initrc_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423703851.301:7264239): avc: denied { execute } for pid=3497
comm="ruby"
path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0"
dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1423704154.718:7264336): avc: denied { execute } for pid=3587
comm="ruby"
path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so"
dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0
tcontext=staff_u:object_r:user_home_t:s0 tclass=file
Once I had those solved, I hit the problem that this script listens
on a high port. Now, I have things configured so that staff_t can
do that, but this wouldn't run as staff_t, so I gave up and used the
ruby "daemons" gem instead.
And now I'm trying to get parsoid running; same sort of situation.
Here's the AVCs so far:
type=AVC msg=audit(03/02/2015 23:30:11.565:327341) : avc: denied { execmem } for
pid=5114 comm=node scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc: denied { open } for pid=5114
comm=node path=/srv/parsoid/api/server.js dev="vdb1" ino=1048596
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc: denied { read } for pid=5114
comm=node name=server.js dev="vdb1" ino=1048596
scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(03/02/2015 23:30:12.783:327350) : avc: denied { name_bind } for
pid=5114 comm=node src=9999 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(03/02/2015 23:30:31.592:327354) : avc: denied { setrlimit } for
pid=5133 comm=sh scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process
and here's the service file:
[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target
[Unit]
Description=Mediawiki Parsoid web service on node.js
Documentation=http://www.mediawiki.org/wiki/Parsoid
Wants=local-fs.target network.target
After=local-fs.target network.target
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
User=apache
Group=apache
WorkingDirectory=/srv/parsoid
EnvironmentFile=-/etc/parsoid/parsoid.env
ExecStart=/usr/bin/node /srv/parsoid/api/server.js
KillMode=process
Restart=on-success
PrivateTmp=true
StandardOutput=syslog
- ------
It doesn't have to be user Apache.
Any hints?
Is there a more active place I could be asking this question?