[selinux] Re: Idiomatic solution for tiny systemd "services"?

Miroslav Grepl mgrepl at redhat.com
Tue Mar 3 13:23:01 UTC 2015 

On 03/03/2015 08:34 AM, Robin Lee Powell wrote:
> On Mon, Feb 16, 2015 at 10:35:42AM -0800, Robin Lee Powell wrote:
>> On Mon, Feb 16, 2015 at 11:21:29AM +0100, Miroslav Grepl wrote:
>>> On 02/15/2015 06:51 PM, Robin Lee Powell wrote:
>>>> On Sun, Feb 15, 2015 at 08:44:07AM -0500, Daniel J Walsh wrote:
>>>>> On 02/11/2015 08:51 PM, Robin Lee Powell wrote:
>>>>>> Hey all.  I have a tiny web service that I'm running with a ruby
>>>>>> script in ~/.rvm/ , and I'd like to run it out of systemd (just
>>>>>> to keep it running always), but init_t can't read or execute
>>>>>> user_home_t.
>>>>>>
>>>>>> Nor can init_t run runcon.
>>>>>>
>>>>>> Basically, I can't figure out any way to transition from
>>>>>> systemd's init_t to my user's type (staff_t).
>>>>>>
>>>>>> So what's the idiomatic way to handle that sort of thing?
>>>>>>
>>>>> init_t should be transitioning to a context that can read content
>>>>> in the users homedir.  What is the label on the ruby script?
>>>> user_home_t; I had no idea what to try.
>>>>
>>>>> Which policy are you using?
>>>> Whatever comes with F20.
>>>>
>>>>> Do you have unconfined.pp disabled?
>>>> Yes.
>>>>
>>>>> Also do you have the actual avcs you are seeing?
>>>> Uh, not anymore I'm afraid; I had to find a workaround and move on.
>>>> I can regenerate them if it's important?
>>>>
>>> How does your unit file look for this service?
>> I tried several versions; here's the last of them:
>>
>> [Unit]
>> Description=Converts Google Docs files to Archive Of Our Own's input format
>>
>> [Service]
>> ExecStart=/home/rlpowell/.rvm/wrappers/ruby-2.2.0 at sinatra/ruby /home/rlpowell/src/gdoc-to-ao3/gdoc-to-ao3.rb -p 9080 -o 192.168.123.133
>> Restart=always
>> User=rlpowell
>> Group=rlpowell
>>
>> [Install]
>> WantedBy=multi-user.target
>>
>> A wide variety of AVCs were caused as I played around with various
>> options, but it was the execute ones that caused me the most
>> trouble; here's some example:
>>
>> type=AVC msg=audit(1423701682.841:7262587): avc:  denied  { execute_no_trans } for  pid=2299 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0 at sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423701682.844:7262593): avc:  denied  { execute } for  pid=2299 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423701682.844:7262594): avc:  denied  { execute_no_trans } for  pid=2299 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423701992.343:7262805): avc:  denied  { execute } for  pid=2476 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423702215.494:7263051): avc:  denied  { execute } for  pid=2646 comm="runcon" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute } for  pid=3456 comm="(ruby)" name="ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423703784.821:7264163): avc:  denied  { execute_no_trans } for  pid=3456 comm="(ruby)" path="/home/tmp/rlpowell/rvm/gems/ruby-2.2.0 at sinatra/wrappers/ruby" dev="vdd1" ino=1577409 scontext=system_u:system_r:init_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423703784.824:7264171): avc:  denied  { execute } for  pid=3456 comm="bash" name="ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423703784.824:7264172): avc:  denied  { execute_no_trans } for  pid=3456 comm="bash" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/bin/ruby" dev="vdd1" ino=1353559 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423703851.301:7264239): avc:  denied  { execute } for  pid=3497 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/libruby.so.2.2.0" dev="vdd1" ino=1353561 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1423704154.718:7264336): avc:  denied  { execute } for  pid=3587 comm="ruby" path="/home/tmp/rlpowell/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/x86_64-linux/enc/encdb.so" dev="vdd1" ino=1718629 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:user_home_t:s0 tclass=file
>>
>> Once I had those solved, I hit the problem that this script listens
>> on a high port.  Now, I have things configured so that staff_t can
>> do that, but this wouldn't run as staff_t, so I gave up and used the
>> ruby "daemons" gem instead.
> And now I'm trying to get parsoid running; same sort of situation.
>
> Here's the AVCs so far:
>
> type=AVC msg=audit(03/02/2015 23:30:11.565:327341) : avc:  denied  { execmem } for  pid=5114 comm=node scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
> type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { open } for  pid=5114 comm=node path=/srv/parsoid/api/server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
> type=AVC msg=audit(03/02/2015 23:30:11.628:327342) : avc:  denied  { read } for  pid=5114 comm=node name=server.js dev="vdb1" ino=1048596 scontext=system_u:system_r:initrc_t:s0 tcontext=staff_u:object_r:var_t:s0 tclass=file
> type=AVC msg=audit(03/02/2015 23:30:12.783:327350) : avc:  denied  { name_bind } for  pid=5114 comm=node src=9999 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
> type=AVC msg=audit(03/02/2015 23:30:31.592:327354) : avc:  denied  { setrlimit } for  pid=5133 comm=sh scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
>
> and here's the service file:
>
> [Unit]
> Description=Mediawiki Parsoid web service on node.js
> Documentation=http://www.mediawiki.org/wiki/Parsoid
> Wants=local-fs.target network.target
> After=local-fs.target network.target
>
> [Unit]
> Description=Mediawiki Parsoid web service on node.js
> Documentation=http://www.mediawiki.org/wiki/Parsoid
> Wants=local-fs.target network.target
> After=local-fs.target network.target
>
> [Install]
> WantedBy=multi-user.target
>
> [Service]
> Type=simple
> User=apache
> Group=apache
> WorkingDirectory=/srv/parsoid
> EnvironmentFile=-/etc/parsoid/parsoid.env
> ExecStart=/usr/bin/node /srv/parsoid/api/server.js
> KillMode=process
> Restart=on-success
> PrivateTmp=true
> StandardOutput=syslog
>
> - ------
>
> It doesn't have to be user Apache.
>
> Any hints?
>
> Is there a more active place I could be asking this question?
I apologize, I overlooked your mail.

So still the question is what a proper domain is for it. We could call

/usr/bin/node /srv/parsoid/api/server.js

from a helper script which could have a label -> httpd_exec_t?

ExecStart=/usr/bin/test_helper_script

More information about the selinux mailing list