So, once again, you've added an initscript that works fine in test to a prod server. It fails. And you get permission denied to write to a directory - but waitaminute, the process starts as root?
The obvious suspect: selinux. Turning it off is the stupid way out and not an option.
[root@gnuff ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1389617233.067:1073936): avc: denied { write } for pid=34988 comm="tcpdump" name="ts" dev=dm-2 ino=1572884 scontext=unconfined_u:system_r:netutils_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
So tcpdump isn't allowed to write to a var_t directory. Fair enough, really. What is it allowed to write to, from a confined user?
sesearch to the rescue! (yum install setools-console)
[root@gnuff ~]# sesearch -T -s netutils_t
Found 3 semantic te rules:
type_transition netutils_t tmp_t : file netutils_tmp_t;
type_transition netutils_t tmp_t : dir netutils_tmp_t;
type_transition netutils_t abrt_helper_exec_t : process abrt_helper_t;
This searches for allowed type transitions from the netutils_t context. Aha!
[root@gnuff ~]# chcon -t netutils_tmp_t /var/cache/ts
And restart ... and voila! No more permission denied.
[root@gnuff ~]# semanage fcontext -a -t netutils_tmp_t /var/cache/ts
makes it permanent. (yum install policycoreutils-python if you have no semanage)
Better do it via puppet, of course. (selinux_fcontext)
PS. The strictly correct option is rather:
[root@gnuff ~]# sesearch -A -s netutils_t | grep dir | grep write
allow netutils_t netutils_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow netutils_t dirsrv_var_run_t : sock_file { write getattr append open } ;
allow netutils_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
which searches for allow rules. But the type transition rule search gets far fewer hits and is worth a try as a first approximation when doing a sysadmin fix-it-fast search. Few apps transition to a type they can't read/write.
([root@gnuff ~]# sesearch -A -s netutils_t | wc -l
365
)
No comments:
Post a Comment