OSC
issue loading dev dashboard with selinux on
I'm currently getting the error: stringio.so: failed to map segment from shared object while trying to boot the dev dashboard in our dev system that uses selinux.
The audit.log message is below.
type=AVC msg=audit(1764177815.282:1457597): avc: denied { execute } for pid=1714881 comm="ruby" path="/users/PZS0714/johrstrom/ondemand/src/apps/dashboard/vendor/bundle/ruby/3.3.0/gems/stringio-3.1.8/lib/stringio.so" dev="0:49" ino=4376752 scontext=system_u:system_r:ood_pun_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
Not sure if we can fix for 4.1 - I certainly can't.
This needs ondemand_use_nfs and use_nfs_home_dirs booleans enabled https://osc.github.io/ood-documentation/latest/installation/modify-system-security.html
Those booleans are supposed to be enabled by default however. So maybe there is a gap. Run the command in docs:
cat /var/log/audit/audit.log | audit2allow -M ood
And share ood.te contents.
Here's the output of that command. I don't see any reference to ood.te.
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i ood.pp
It should be in same CWD as ood.pp. If you leave off -M ood it should print the policy but the policy with -M ood should have been written to ood.te in same directory as ood.pp.
🤦♂️ didn't realize that command wrote files out. Here's the ood.te:
module ood 1.0;
require {
type sysfs_t;
type systemd_userdbd_runtime_t;
type nfs_t;
type ood_apps_public_t;
type httpd_t;
type var_lib_t;
type ood_pun_t;
type admin_home_t;
class file { execute map read };
class dir { create read };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow httpd_t ood_apps_public_t:file map;
#============= ood_pun_t ==============
allow ood_pun_t admin_home_t:dir create;
allow ood_pun_t nfs_t:file execute;
allow ood_pun_t sysfs_t:file read;
allow ood_pun_t systemd_userdbd_runtime_t:dir read;
allow ood_pun_t var_lib_t:file read;
module ood 1.0;
require {
type sysfs_t;
type systemd_userdbd_runtime_t;
type nfs_t;
type ood_apps_public_t;
type httpd_t;
type var_lib_t;
type ood_pun_t;
type admin_home_t;
class file { execute map read };
class dir { create read };
}
#============= ood_pun_t ==============
allow ood_pun_t nfs_t:file execute;
Try making that file then do:
make -f /usr/share/selinux/devel/Makefile
semodule -i ood.pp
Then see if that solves the problem. The other denials might just be noise but would need to see the auditd logs to know. Is this on OSC host where I can look or somewhere else?
diff --git a/packaging/rpm/ondemand-selinux.te b/packaging/rpm/ondemand-selinux.te
index ef3ecbd46..c9b46fd79 100644
--- a/packaging/rpm/ondemand-selinux.te
+++ b/packaging/rpm/ondemand-selinux.te
@@ -149,14 +149,11 @@ tunable_policy(`ondemand_manage_vmblock',`
gen_tunable(ondemand_use_nfs, true)
tunable_policy(`ondemand_use_nfs && use_nfs_home_dirs',`
- require {
- type nfs_t;
- }
fs_list_auto_mountpoints(ood_pun_t)
fs_manage_nfs_dirs(ood_pun_t)
+ fs_exec_nfs_files(ood_pun_t)
fs_manage_nfs_files(ood_pun_t)
fs_manage_nfs_symlinks(ood_pun_t)
- allow ood_pun_t nfs_t:file { map };
')
optional_policy(`
tunable_policy(`ondemand_use_nfs && use_nfs_home_dirs',`
I think this will solve the execute issue.