selinux preventing init_t access to httpd_sys_content_tVlc Media Problem in Fedora!How to get Wine to work...
Usefulness of Nash embedding theorem
What is the name for a fluid transition between two tones? When did it first appear?
Extra battery in the gap of an HDD
'The Kukhtarev's model' or 'Kukhtarev's model' ('John's car' or 'The John's car')?
Will the size of Bitcoin core full-node be too big to run on a normal computer?
'Pound' meaning in this context
'provocative' vs 'sexy'
Sanitize and build data structure from Consul configuration
Perform a predetermined set of operations on a large sequence
How does Firefox know my ISP login page?
Where does the tea come from?
counter in hexadecimal base
Is it plausible that an interrupted Windows update can cause the motherboard to fail?
What happens if a geocentric model of the world were correct?
SSD or HDD for server
Pass a bash variable to python script
Do I need to explicitly handle negative numbers or zero when summing squared digits?
Do I need a Bonferonni correction on a 2x2 chi-squared analysis?
What does the British parliament hope to achieve by requesting a third Brexit extension?
Using Terminal` (ASCII plots) in Wolfram 12
Is there any restriction in entering the South American countries multiple times in one year?
What's the current zodiac?
Is there a push, in the United States, to use gender-neutral language and gender pronouns (when they are given)?
How can a "proper" function have a vertical slope?
selinux preventing init_t access to httpd_sys_content_t
Vlc Media Problem in Fedora!How to get Wine to work with SELinux?Filebased SELinux booleansrunning apache on fedora/selinux/no setroubleshoot messages on desktopselinux started blocking php “exec” calls after yum updateSELinux Prevents httpd Write FilesSELinux woes developing systemd extensionCannot stop SELinux from blocking Apache accessing /usr/local/nagios/var/rw/nagios.cmdAllow certain risky behaviour of a single program in a safe way in SELinux
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{
margin-bottom:0;
}
I have a systemd service file that runs a script. It is getting blocked by selinux:
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
So I created a selinux module:
module montclaire 1.0;
require {
type httpd_sys_content_t;
type init_t;
class file { append create execute execute_no_trans ioctl open read write };
}
#============= init_t ==============
allow init_t httpd_sys_content_t:file { append create execute execute_no_trans ioctl open read write };
compiled and loaded it. My script is running with selinux enforcing.
Is this the correct thing to do? Did I put a big hole in my system?
My systemd service file: I run on as a timer not on boot.
[Unit]
Description=Sync montclaire repositories
ConditionPathExists=/srv/www/sites/linux.montclaire.lan/make_index.sh
[Service]
User=nginx
Type=oneshot
WorkingDirectory=/srv/www/sites/linux.montclaire.lan
ExecStart=/srv/www/sites/linux.montclaire.lan/make_index.sh
linux security webserver selinux
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
I have a systemd service file that runs a script. It is getting blocked by selinux:
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
So I created a selinux module:
module montclaire 1.0;
require {
type httpd_sys_content_t;
type init_t;
class file { append create execute execute_no_trans ioctl open read write };
}
#============= init_t ==============
allow init_t httpd_sys_content_t:file { append create execute execute_no_trans ioctl open read write };
compiled and loaded it. My script is running with selinux enforcing.
Is this the correct thing to do? Did I put a big hole in my system?
My systemd service file: I run on as a timer not on boot.
[Unit]
Description=Sync montclaire repositories
ConditionPathExists=/srv/www/sites/linux.montclaire.lan/make_index.sh
[Service]
User=nginx
Type=oneshot
WorkingDirectory=/srv/www/sites/linux.montclaire.lan
ExecStart=/srv/www/sites/linux.montclaire.lan/make_index.sh
linux security webserver selinux
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
I have a systemd service file that runs a script. It is getting blocked by selinux:
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
So I created a selinux module:
module montclaire 1.0;
require {
type httpd_sys_content_t;
type init_t;
class file { append create execute execute_no_trans ioctl open read write };
}
#============= init_t ==============
allow init_t httpd_sys_content_t:file { append create execute execute_no_trans ioctl open read write };
compiled and loaded it. My script is running with selinux enforcing.
Is this the correct thing to do? Did I put a big hole in my system?
My systemd service file: I run on as a timer not on boot.
[Unit]
Description=Sync montclaire repositories
ConditionPathExists=/srv/www/sites/linux.montclaire.lan/make_index.sh
[Service]
User=nginx
Type=oneshot
WorkingDirectory=/srv/www/sites/linux.montclaire.lan
ExecStart=/srv/www/sites/linux.montclaire.lan/make_index.sh
linux security webserver selinux
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have a systemd service file that runs a script. It is getting blocked by selinux:
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied { execute_no_trans } for pid=1079 comm="(index.sh)" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for pid=1079 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127" ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for pid=1081 comm="make_index.sh" name="index.html" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for pid=1081 comm="make_index.sh" path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for pid=1081 comm="make_index.sh" name="index.html" dev="md127" ino=4295112722 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
So I created a selinux module:
module montclaire 1.0;
require {
type httpd_sys_content_t;
type init_t;
class file { append create execute execute_no_trans ioctl open read write };
}
#============= init_t ==============
allow init_t httpd_sys_content_t:file { append create execute execute_no_trans ioctl open read write };
compiled and loaded it. My script is running with selinux enforcing.
Is this the correct thing to do? Did I put a big hole in my system?
My systemd service file: I run on as a timer not on boot.
[Unit]
Description=Sync montclaire repositories
ConditionPathExists=/srv/www/sites/linux.montclaire.lan/make_index.sh
[Service]
User=nginx
Type=oneshot
WorkingDirectory=/srv/www/sites/linux.montclaire.lan
ExecStart=/srv/www/sites/linux.montclaire.lan/make_index.sh
linux security webserver selinux
linux security webserver selinux
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
edited 30 mins ago
Jeff Schaller♦
50.3k11 gold badges74 silver badges167 bronze badges
50.3k11 gold badges74 silver badges167 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
louisg00louisg00
62 bronze badges
asked 1 hour ago
louisg00louisg00
62 bronze badges
62 bronze badges
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
louisg00 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment
|
add a comment
|
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
louisg00 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f545437%2fselinux-preventing-init-t-access-to-httpd-sys-content-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
louisg00 is a new contributor. Be nice, and check out our Code of Conduct.
louisg00 is a new contributor. Be nice, and check out our Code of Conduct.
louisg00 is a new contributor. Be nice, and check out our Code of Conduct.
louisg00 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f545437%2fselinux-preventing-init-t-access-to-httpd-sys-content-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown