Hi,
After upgrading to F24, my custom service ttrss-update.service doesn't start anymore. I think it was launched before as unconfined_t, but now I get this AVC. Should I open a bug?
SELinux is preventing php from read access on the file /var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that php should be allowed read access on the update_daemon2.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php' --raw | audit2allow -M my-php # semodule -X 300 -i my-php.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:httpd_sys_content_t:s0 Target Objects /var/www/ttrss.miceliux.com/update_daemon2.php [ file ] Source php Source Path php Port <Unknown> Host argon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-190.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May 19 13:05:32 UTC 2016 x86_64 x86_64 Alert Count 35 First Seen 2016-06-16 10:26:22 CEST Last Seen 2016-06-19 13:42:58 CEST Local ID 853772a0-7b0e-4f8d-a700-0e829fc401c6
Raw Audit Messages type=AVC msg=audit(1466336578.797:5880): avc: denied { read } for pid=7743 comm="php" name="update_daemon2.php" dev="dm-0" ino=25403430 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
Hash: php,init_t,httpd_sys_content_t,file,read
This is the service unit:
# systemctl cat ttrss-update.service # /etc/systemd/system/ttrss-update.service [Unit] Description=Tiny Tiny RSS Update daemon After=network-online.target After=mariadb.service Wants=mariadb.service Requires=network-online.target
[Service] Type=simple User=apache Group=apache WorkingDirectory=/var/www/ttrss.miceliux.com ExecStart=/usr/bin/php /var/www/ttrss.miceliux.com/update_daemon2.php ProtectSystem=full ProtectHome=true Nice=19 StandardOutput=null StandardError=journal PrivateTmp=true PrivateDevices=true NoNewPrivileges=true Restart=always
[Install] WantedBy=multi-user.target
The problem is that's your script is being executed with under the init_t type. You should be able to update your unit file to specify an appropriate SELinux context for your script.
http://man7.org/linux/man-pages/man5/systemd.exec.5.html
Under [Service], add something like this:
SELinuxContext=system_u:system_r:httpd_sys_script_t:s0-c0.c1023
You may also be able to label your script httpd_exec_t and have it transition to the Apache domain so that it doesn't run as init_t when your system starts.
On Sun, Jun 19, 2016 at 6:52 AM Juan Orti Alcaine j.orti.alcaine@gmail.com wrote:
Hi,
After upgrading to F24, my custom service ttrss-update.service doesn't start anymore. I think it was launched before as unconfined_t, but now I get this AVC. Should I open a bug?
SELinux is preventing php from read access on the file /var/www/ttrss.miceliux.com/update_daemon2.php.
***** Plugin catchall (100. confidence) suggests
If you believe that php should be allowed read access on the update_daemon2.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php' --raw | audit2allow -M my-php # semodule -X 300 -i my-php.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:httpd_sys_content_t:s0 Target Objects /var/www/ ttrss.miceliux.com/update_daemon2.php [ file ] Source php Source Path php Port <Unknown> Host argon Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-190.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name argon Platform Linux argon 4.5.5-300.fc24.x86_64 #1 SMP Thu May 19 13:05:32 UTC 2016 x86_64 x86_64 Alert Count 35 First Seen 2016-06-16 10:26:22 CEST Last Seen 2016-06-19 13:42:58 CEST Local ID 853772a0-7b0e-4f8d-a700-0e829fc401c6
Raw Audit Messages type=AVC msg=audit(1466336578.797:5880): avc: denied { read } for pid=7743 comm="php" name="update_daemon2.php" dev="dm-0" ino=25403430 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
Hash: php,init_t,httpd_sys_content_t,file,read
This is the service unit:
# systemctl cat ttrss-update.service # /etc/systemd/system/ttrss-update.service [Unit] Description=Tiny Tiny RSS Update daemon After=network-online.target After=mariadb.service Wants=mariadb.service Requires=network-online.target
[Service] Type=simple User=apache Group=apache WorkingDirectory=/var/www/ttrss.miceliux.com ExecStart=/usr/bin/php /var/www/ttrss.miceliux.com/update_daemon2.php ProtectSystem=full ProtectHome=true Nice=19 StandardOutput=null StandardError=journal PrivateTmp=true PrivateDevices=true NoNewPrivileges=true Restart=always
[Install] WantedBy=multi-user.target
-- Juan Orti https://apuntesderootblog.wordpress.com/ -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org