Bug 2112586
Summary: | SELinux is preventing Python scripts launched via smartd’s exec directive from making network requests | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | andoryuuhonmono |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-09-12 13:26:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
andoryuuhonmono
2022-07-30 20:07:27 UTC
I found some examples, so I have now written the following policy to work around this issue: ``` policy_module(smartd_exec_subprocess, 1.0) gen_require(` type fsdaemon_t; type unconfined_t; role system_r; ') # define a type for smartd-exec files type smartd_exec_t; files_type(smartd_exec_t) # when a process labeled with the 'fsdaemon_t' type (e.g. smartd) # executes a file labeled with the 'smartd_exec_t' type, transition # the spawned process into the 'unconfined_t' domain domain_auto_trans(fsdaemon_t, smartd_exec_t, unconfined_t); # set 'smartd_exec_t' as en entrypoint to the 'unconfined_t' domain allow unconfined_t smartd_exec_t:file entrypoint; # smartd is running as role 'system_r'; allow 'unconfined_t' to be executed in this role role system_r types unconfined_t; ``` This allows my specific script to run unconfined so that the network requests will work. As this is a local customization, I also suggest use a local SELinux policy module like this: # cat local_fsdaemon_http.cil (allow fsdaemon_t http_port_t (tcp_socket (name_connect))) # semodule -i local_fsdaemon_http.cil |