Selinux Policy Allow custom shell script

[agriz]

Sir,

I have typed one phython script and i want to use it in my php script via exec.
If that is the case, how do i make changes in audit. so selinux will allow me to run it.
the script is in /usr/local/bin

Thanks

[agriz]

Code: Select all

setenforce 0

If i execute this command, i can run this script.

[mghe]

Could you show output of log audit when You try run script with selinux enable ?

/var/log/audit/audit.log

[agriz]

I am not getting any output when i run that script sir.

Code: Select all

tail -f audit.log

nothing comes in audit

/usr/local/bin/
ls -lZ
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 script

[aks]

I think he means with selinux running, execute your script & post the output of:

grep -i avc /var/log/audit/audit.log

[agriz]

Code: Select all

type=AVC msg=audit(1471764481.690:7480): avc:  denied  { open } for  pid=11448 comm="logrotate" path="/etc/logrotate.d/lfd" dev="sda2" ino=135003505 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1471764484.512:7481): avc:  denied  { open } for  pid=11464 comm="mandb" path="/usr/local/man/man1/csf.1" dev="sda2" ino=686783 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1471851661.548:8053): avc:  denied  { open } for  pid=30910 comm="logrotate" path="/etc/logrotate.d/lfd" dev="sda2" ino=135003505 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=USER_AVC msg=audit(1471857504.127:8214): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471857504.127:8215): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471863661.998:8267): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471863661.998:8268): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

selinux is running. It is not disabled.

[mghe]

turn selinux to enforce mode, next run script, next read last 10 line form audit log

[agriz]

SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

[agriz]

Selinux is already in enforcing mode. Nothing comes in audit

[mghe]

run :

# semodule -DB

try logging issue again,

after procedure back to normal state:

# semodule -B