Forum > Linux

Daemon on Linux

(1/2) > >>

Molochnik:
I have an app that works fine as an application but fails to start as a daemon with the cryptic for me message:

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---SELinux is preventing /usr/lib/systemd/systemd from execute access on the file /opt/cumanager/cumanagerl. *****  Plugin catchall (100. confidence) suggests   ************************** If you believe that systemd should be allowed execute access on the cumanagerl file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# ausearch -c '(managerl)' --raw | audit2allow -M my-managerl# semodule -X 300 -i my-managerl.pp Additional Information:Source Context                system_u:system_r:init_t:s0Target Context                unconfined_u:object_r:admin_home_t:s0Target Objects                /opt/cumanager/cumanagerl [ file ]Source                        (managerl)Source Path                   /usr/lib/systemd/systemdPort                          <Unknown>Host                          localhost.localdomainSource RPM Packages           systemd-239-82.el8.x86_64Target RPM PackagesSELinux Policy RPM            selinux-policy-targeted-3.14.3-139.el8.noarchLocal Policy RPM              selinux-policy-targeted-3.14.3-139.el8.noarchSelinux Enabled               TruePolicy Type                   targetedEnforcing Mode                EnforcingHost Name                     localhost.localdomainPlatform                      Linux localhost.localdomain 4.18.0-547.el8.x86_64                              #1 SMP Wed Mar 20 00:35:01 UTC 2024 x86_64 x86_64Alert Count                   27Local ID                      81ccef8d-4c75-4ecc-8917-4b4aac79c294 Raw Audit Messagestype=AVC msg=audit(1712781227.912:267): avc:  denied  { execute } for  pid=99560 comm="(managerl)" name="cumanagerl" dev="dm-1" ino=4024712 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0  type=SYSCALL msg=audit(1712781227.912:267): arch=x86_64 syscall=execve success=no exit=EACCES a0=5623b18c0010 a1=5623b18b8d70 a2=5623b18f0480 a3=7 items=0 ppid=1 pid=99560 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(managerl) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)Hash: (managerl),init_t,admin_home_t,file,execute
What to do with it?

PierceNg:

--- Quote from: Molochnik on April 10, 2024, 11:37:10 pm ---I have an app that works fine as an application but fails to start as a daemon with the cryptic for me message:

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---SELinux is preventing /usr/lib/systemd/systemd from execute access on the file /opt/cumanager/cumanagerl.You can generate a local policy module to allow this access.Doallow this access for now by executing:# ausearch -c '(managerl)' --raw | audit2allow -M my-managerl# semodule -X 300 -i my-managerl.pp 
What to do with it?

--- End quote ---

Run those commands to generate local policy module like it says? And of course read their manual pages before you do so.

Molochnik:
I tried what is been written, the local policy is  created and enabled but I got another one failure:
/var/log# sealert -l b411f13c-ff07-4fcf-b881-a68575773b23

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---SELinux is preventing /usr/lib/systemd/systemd from execute_no_trans access on the file /opt/cumanager/cumanagerl. *****  Plugin restorecon (99.5 confidence) suggests   ************************ If you want to fix the label./opt/cumanager/cumanagerl default label should be usr_t.Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.Do# /sbin/restorecon -v /opt/cumanager/cumanagerl *****  Plugin catchall (1.49 confidence) suggests   ************************** If you believe that systemd should be allowed execute_no_trans access on the cumanagerl file by default.Then you should report this as a bug.You can generate a local policy module to allow this access.Doallow this access for now by executing:# ausearch -c '(managerl)' --raw | audit2allow -M my-managerl# semodule -X 300 -i my-managerl.pp  Additional Information:Source Context                system_u:system_r:init_t:s0Target Context                unconfined_u:object_r:admin_home_t:s0Target Objects                /opt/cumanager/cumanagerl [ file ]Source                        (managerl)Source Path                   /usr/lib/systemd/systemdPort                          <Unknown>Host                          localhost.localdomainSource RPM Packages           systemd-239-82.el8.x86_64Target RPM PackagesSELinux Policy RPM            selinux-policy-targeted-3.14.3-139.el8.noarchLocal Policy RPM              selinux-policy-targeted-3.14.3-139.el8.noarchSelinux Enabled               TruePolicy Type                   targetedEnforcing Mode                EnforcingHost Name                     localhost.localdomainPlatform                      Linux localhost.localdomain 4.18.0-552.el8.x86_64                              #1 SMP Sun Apr 7 19:39:51 UTC 2024 x86_64 x86_64Alert Count                   1Local ID                      b411f13c-ff07-4fcf-b881-a68575773b23 Raw Audit Messagestype=AVC msg=audit(1712819658.562:267): avc:  denied  { execute_no_trans } for  pid=71839 comm="(managerl)" path="/opt/cumanager/cumanagerl" dev="dm-1" ino=4024712 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0  type=SYSCALL msg=audit(1712819658.562:267): arch=x86_64 syscall=execve success=no exit=EACCES a0=557a48a50610 a1=557a489fd740 a2=557a48a16230 a3=7 items=0 ppid=1 pid=71839 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(managerl) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) Hash: (managerl),init_t,admin_home_t,file,execute_no_trans
I have never encountered with SELinux before and have no idea what it is all about. Why does my daemon make SELinux so excited?

Leledumbo:

--- Quote from: Molochnik on April 11, 2024, 09:39:34 am ---I have never encountered with SELinux before and have no idea what it is all about. Why does my daemon make SELinux so excited?

--- End quote ---
As its name stands, Security Enhanced Linux is a module that provides mechanism for access controls, separating security policy from security decisions.
As you're using a Red Hat, no wonder, they're the original author of the module, alongside NSA. The quick and dirty solution is to set the Enforcing Mode to either Permissive or even Disabled, but that means lowering your installation security. I don't know what you use your distro for, so whether it matters or not depends on you. Otherwise: follow the suggestions.

Molochnik:
Leledumbo
I just wanted to make sure that the problem is not connected to my daemon specifically. If it is a common thing in RHEL and users know how to deal with it then that's fine

Navigation

[0] Message Index

[#] Next page

Go to full version