#15 SELinux avc: denies / exec domain
Opened 4 months ago by ne0l. Modified 4 months ago

Hi, following the example in https://pagure.io/oddjob/raw/master/f/doc/oddjob.html and executing

dbus-send --system --dest=com.example.system_manager --print-reply /com/example/Systems/server1 com.example.power.reboot

results in a SELinux AVC denied

type=SYSCALL msg=audit(1660040815.627:167): arch=c000003e syscall=191 success=no exit=-13 a0=559777deac40 a1=7f6e4a9f5251 a2=559777e00350 a3=ff items=0 ppid=3390 pid=3555 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1660040815.627:167): avc:  denied  { getattr } for  pid=3555 comm="oddjobd" name="systemctl" dev="dm-1" ino=13180 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0

trying to use /usr/libexec/oddjob/sanity.sh as exec helper for testing purposes, I get also a SELinux AVC transition denied .

type=SYSCALL msg=audit(1660039785.371:85): arch=c000003e syscall=59 success=no exit=-13 a0=55cffc5944f0 a1=55cffc5a1ff0 a2=55cffc598180 a3=0 items=0 ppid=986 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1660039785.371:85): avc:  denied  { transition } for  pid=1320 comm="oddjobd" path="/usr/libexec/oddjob/sanity.sh" dev="dm-1" ino=44222 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

How is this service supposed to made a selinux transition? Which SELinux entry points are supported?

For the case of sanity.sh I installed a SELinux module with "allow oddjob_t unconfined_t:process transition;" but that feels not to be a best practice.

I would appreciate any hints, thanks!


Login to comment on this ticket.

Metadata