* runcon in enforcing mode
@ 2019-01-30 21:21 Ian Pilcher
2019-01-30 21:38 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Ian Pilcher @ 2019-01-30 21:21 UTC (permalink / raw)
To: selinux
Does $SUBJECT ever work?
I am trying to figure out why a script is failing when run by
certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
any executable is giving me a denial.
$ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
runcon: ‘/bin/true’: Permission denied
type=AVC msg=audit(1548883146.502:300): avc: denied { entrypoint } for
pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190
scontext=system_u:system_r:certmonger_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
Am I doing something wrong?
--
========================================================================
Ian Pilcher arequipeno@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: runcon in enforcing mode
2019-01-30 21:21 runcon in enforcing mode Ian Pilcher
@ 2019-01-30 21:38 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2019-01-30 21:38 UTC (permalink / raw)
To: Ian Pilcher, selinux
On 1/30/19 4:21 PM, Ian Pilcher wrote:
> Does $SUBJECT ever work?
>
> I am trying to figure out why a script is failing when run by
> certmonger (system_u:system_r:certmonger_t:s0), but attempting to run
> any executable is giving me a denial.
>
> $ sudo runcon system_u:system_r:certmonger_t:s0 /bin/true
> runcon: ‘/bin/true’: Permission denied
>
> type=AVC msg=audit(1548883146.502:300): avc: denied { entrypoint } for
> pid=12697 comm="runcon" path="/usr/bin/true" dev="dm-3" ino=2190
> scontext=system_u:system_r:certmonger_t:s0
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>
> Am I doing something wrong?
A key aspect of type enforcement is ensuring that a given domain can
only be entered via an approved executable and can only execute
authorized code. Hence, the entrypoint check. This means that if you
want to experiment with running some other program in a domain, you must
do one of the following:
1) Label the file in question with the authorized type, e.g.
cp /bin/true .
chcon -t certmonger_exec_t true
runcon system_u:system_r:certmonger_t:s0 ./true
2) Create and insert a local policy module allowing entrypoint to the
type of the file,
-or-
3) Make the domain permissive or set the global enforcing mode to
permissive.
You may also encounter other denials related to the transition since
normally certmonger wouldn't be started this way.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-30 21:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-30 21:21 runcon in enforcing mode Ian Pilcher
2019-01-30 21:38 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).