runcon Invalid argument

Miroslav Grepl mgrepl at redhat.com
Mon Apr 16 05:55:08 UTC 2012


On 04/13/2012 05:33 PM, Daniel J Walsh wrote:
> On 04/13/2012 10:39 AM, Moray Henderson (ICT) wrote:
>> I'm trying to debug an httpd-nfs-selinux issue, and it would be _really_
>> useful to be able to execute commands in context httpd_t while trying out
>> combinations of the nfs_export_all_rw Boolean and public_content_rw_t
>> type.
>>
>> If I can do
>>
>> [root at kojihub ~]# runcon unconfined_u:unconfined_r:unconfined_t:s0 bash
>> [root at kojihub ~]# exit
>>
>> why can't I do
>>
>> [root at kojihub ~]# runcon unconfined_u:unconfined_r:httpd_t:s0 bash runcon:
>> invalid context: unconfined_u:unconfined_r:httpd_t:s0: Invalid argument
>>
> Because httpd_t is not allowed to run as the unconfined_r and bash is not an
> entrypoint for the httpd_t domain.
>
> You can write policy for this, but basically
>
> SELinux expects the transitions to work like
>
> unconfined_t @initrc_exec_t ->  initrc_t @ httpd_exec_t ->  httpd_t
>
> You can do
>
> runcon -t initrc_t -r system_r id -Z
> staff_u:system_r:initrc_t:s0-s0:c0.c1023
>
> But sadly
>
> runcon -t initrc_t -r system_r runcon -t httpd_t id -Z
> runcon: invalid context: staff_u:system_r:httpd_t:s0-s0:c0.c1023: Permission
> denied
>
> Still fails because of you are missing these rules
>
> #============= httpd_t ==============
> allow httpd_t bin_t:file entrypoint;

>
> #============= initrc_t ==============
> allow initrc_t self:process setexec;
You won't see this one if you don't disable unconfined module. So just 
try to execute the following
>
> You can do the following
>
> # cat /usr/bin/httpd.sh
> #!/bin/sh
> id -Z
> chmod +x /usr/bin/httpd.sh
> # chcon -t httpd_exec_t /usr/bin/httpd.sh
> # runcon -t initrc_t -r system_r sh -c /bin/httpd.sh
> # staff_u:system_r:httpd_t:s0-s0:c0.c1023
>
>
>
>
>> The actual issue is that I've set up a new koji hub with /mnt/koji on an
>> nfs mount; with SELinux in permissive mode I get
>>
>> AVC Report ======================================================== # date
>> time comm subj syscall class permission obj event
>> ======================================================== 1. 04/13/2012
>> 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
>> system_u:object_r:nfs_t:s0 denied 494 2. 04/13/2012 14:23:36 httpd
>> unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0
>> denied 493 3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83
>> dir write system_u:object_r:nfs_t:s0 denied 495 4. 04/13/2012 14:23:36
>> httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name
>> system_u:object_r:nfs_t:s0 denied 495 5. 04/13/2012 14:23:36 httpd
>> unconfined_u:system_r:httpd_t:s0 83 dir create
>> unconfined_u:object_r:nfs_t:s0 denied 495 6. 04/13/2012 14:23:36 httpd
>> unconfined_u:system_r:httpd_t:s0 2 file create
>> unconfined_u:object_r:nfs_t:s0 denied 496 7. 04/13/2012 14:23:36 httpd
>> unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0
>> denied 496
>>
>>
>> Moray. "To err is human; to purr, feline."
>>
>>
>>
>>
>> OM International Limited - Unit B Clifford Court, Cooper Way - Carlisle CA3
>> 0JG - United Kingdom Charity reg no: 1112655 - Company reg no: 5649412
>> (England and Wales)
>>
>> -- selinux mailing list selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



More information about the selinux mailing list