SELinux Blocking fifo_file creation for socket unit in systemd
I want to create a custom systemd service + socket that cam take standard input from a fifo and parse it to a script running as the service unit.
The output is logged to journald and the input comes from a fifo socket.
The executable for now is a minecraft jar server application,but i want to use it for a lot of other types on my desktop to make it easier to launch custom daemon binaries that take standard input from terminal.
Note however that the called script by the service drops the root permisions and runs the target as java_run_usr user.
The respective user has a home,but a /sbin/nologin shell.
For all intents and purposes that user is made to isolate the running executable from the main account(i don't want to run executables with network interfacing using my admin account).
Could you point me to the stapps needed to define a SELinux policy that allows systemd to create the fifo in /tmp ?
I haven't used or have any experience configuring SELinux so before I break something on this learing VM i'd like to ask why it is upset and how to define a policy that is not a security hole.
Also the scripts are in /usr/local/bin/scripts and i modified using chcon -t context to bin_t.
They were initially in the home folder of the user ,but i read SELinux prevents execution from there.
Thank you for your help.
The start script is the following:
#!/bin/bash
su --shell /bin/sh -c " id > /home/java_run_usr/run.txt" java_run_usr
su --shell /bin/sh -c " echo "running java_run_user" " java_run_usr
The stop script is the following:
echo "/stop" > /tmp/socket_fifo/minecraft-system-service.stdin
pgrep -pgroup $MAINPID
/bin/kill -TERM "$MAINPID"
The SELinux error is the following:
SELinux is preventing systemd from create access on the fifo_file minecraft-system-service.stdin.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed create access on the minecraft-system-service.stdin fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp
Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects minecraft-system-service.stdin [ fifo_file ]
Source systemd
Source Path systemd
Port <Unknown>
Host rhel-hyperv
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Local Policy RPM selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rhel-hyperv
Platform Linux rhel-hyperv 5.14.0-284.18.1.el9_2.x86_64 #1
SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023
x86_64 x86_64
Alert Count 5
First Seen 2023-07-22 01:19:57 EEST
Last Seen 2023-07-22 13:37:44 EEST
Local ID 5e493035-b590-4ce8-89b0-4ccfed2e7dbe
Raw Audit Messages
type=AVC msg=audit(1690022264.15:485): avc: denied { create } for pid=1 comm="systemd" name="minecraft-system-service.stdin" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0
Hash: systemd,init_t,tmp_t,fifo_file,create
SystemD Service contents:system-service.service
[Unit]
Description=Launch the Minecraft Forge server under java_run_usr account
Requires=network.target
[Service]
ExecStart=/usr/local/bin/scripts/server_systemd.sh
ExecStop=/usr/local/bin/scripts/server_systemd_stop.sh
Type=simple
Sockets=minecraft-system-service.socket
StandardInput=socket
StandardOutput=journal
StandardError=journal
User=root
Group=root
Restart=no
SystemD socket contents:system-service.socket
[Unit]
Description=Minecraft Server Standard Input Socket
Requires=minecraft-system-service.service
[Socket]
RemoveOnStop=true
Service=minecraft-system-service.service
ListenFIFO=/tmp/socket_fifo/minecraft-system-service.stdin
DirectoryMode=644
Writable=false
SocketUser=java_run_usr
