All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Pilcher <arequipeno@gmail.com>
To: SElinux list <selinux@vger.kernel.org>
Subject: Daemon cannot execute python
Date: Wed, 29 Apr 2020 11:01:10 -0500	[thread overview]
Message-ID: <53c7aec9-e132-315e-be42-d7bdc9060eed@gmail.com> (raw)

Over the years, I've written several Python-based daemons for my home
network.  I've also written SELinux policies for these daemons.

After a recent CentOS 7 update, which includes
selinux-policy-targeted-3.13.1-266.el7.noarch, these daemons are failing
to start:

   type=AVC msg=audit(1588171416.424:157): avc:  denied  { execute } for
   pid=3359 comm="denatc" path="/usr/bin/python2.7" dev="dm-0"
   ino=12679476 scontext=system_u:system_r:denatc_t:s0
   tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

For some reason, these policies worked in the past without including
specific permission to execute bin_t files (something that I'd prefer to
avoid, as it's awfully broad).

Does anyone have any idea what changed (i.e. why did this work before)?

Is there any way to make things work other than giving any Python-based
daemon permission to execute *any* bin_t file?

Thanks!

-- 
========================================================================
                  In Soviet Russia, Google searches you!
========================================================================

             reply	other threads:[~2020-04-29 16:01 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-29 16:01 Ian Pilcher [this message]
2020-04-29 16:47 ` Daemon cannot execute python Stephen Smalley
2020-04-29 18:02   ` Ian Pilcher
2020-04-29 19:24     ` Ian Pilcher
2020-04-29 20:04       ` Stephen Smalley
2020-04-29 23:29         ` Ian Pilcher
2020-04-30  6:18           ` Ian Pilcher
2020-04-30 12:59             ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53c7aec9-e132-315e-be42-d7bdc9060eed@gmail.com \
    --to=arequipeno@gmail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.