I am new to compiling selinux policy modules. When I sesearch for source
domain init_t for httpd_sys_contect_t I get 5 replies:
$sesearch -T -s init_t -t httpd_sys_content_t
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"smarty";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"upgrade";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"uploads";
type_transition init_t httpd_sys_content_t:dir httpd_sys_rw_content_t
"wp-content";
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
"settings.php";
If I read this correctly, init_t has access to 4 directories; smarty,
upgrade, uploads and wp-content. One file settings.php
I created a systemd service file running as a timer. The service just
executes a script. Selinux denies with these errors;
type=AVC msg=audit(1570329687.437:218): avc: denied { execute } for
pid=1079 comm="(index.sh)" name="make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.437:219): avc: denied { read open }
for pid=1079 comm="(index.sh)"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.437:220): avc: denied {
execute_no_trans } for pid=1079 comm="(index.sh)"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329687.450:221): avc: denied { ioctl } for
pid=1079 comm="make_index.sh"
path="/srv/www/sites/linux.montclaire.lan/make_index.sh" dev="md127"
ino=4295130138 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.303:222): avc: denied { create } for
pid=1081 comm="make_index.sh" name="index.html"
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:223): avc: denied { write } for
pid=1081 comm="make_index.sh" name="index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:224): avc: denied { open } for
pid=1081 comm="make_index.sh"
path="/srv/www/sites/linux.montclaire.lan/index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
type=AVC msg=audit(1570329691.322:225): avc: denied { append } for
pid=1081 comm="make_index.sh" name="index.html" dev="md127"
ino=4295112722 scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
permissive=1
How can I create a type translation that says; it this correct?
type_transition init_t httpd_sys_content_t:file httpd_sys_rw_content_t
"make_index.sh";