I tried to access a volume inside a container: I also need to finish updating ejabberd to the newer release in rawhide.I was doing some testing this week and received the following error when Hopefully I will find some non-dayjob time soon to do the above to the real package so we can be back in business. I am on the fence about the value of policykit for ejabberd anyway, when you can use sudo to grant access to users. I wasn't able to get ejabberd working with polkit *and* SELinux. This will get ejabberd to run as ejabberd_t instead of init_t, since it won't launch as bash anymore.ġ) Unapply the policykit patch to /usr/bin/ejabberdctl, which basically means changing the shebang line back to /usr/bin/bash. I've got my server manually patched with parts of the patch I attached on this ticket, as well as a manually installed version of the selinux policies.Īssuming my selinux patches have been released to F26 (which again, I don't know how to verify other than just trying it?), there are two things you can do manually that I think will get you running:Ġ) Edit the service file (/usr/lib/systemd/system/rvice) to do what I did in the patch. Is this a problem of this bug or something else? Then I'll open another bug. Type=AVC msg=audit(1505917132.313:368): avc: denied for pid=2567 comm="1_scheduler" name="ejabberd" dev="sda3" ino=4982432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ejabberd_var_log_t:s0 tclass=dir permissive=0 I'm still getting this in my audit.log when trying to start ejabberd: This git diff isn't quite what we'll want, because it makes an ejabberd-selinux subpackage (which I used for testing purposes while developing the policy), but it has some of the changes we'll need. Secondly, we no longer need to use /bin/bash to launch ejabberdctl in the unit file, and we also cannot use PrivateDevices=true because that will prevent the domain transition from being allowed.īecause we have to wait on the pull requests, I'm going to attach a git diff of what I have in my checkout right now here. It would fail with this error message:Įjabberdctl: Refusing to render service to dead parents. Once that is accepted, merged, and released into Fedora 26+, we will also need to adjust a few things on the ejabberd side to be compliant.įor one, I wasn't able to get ejabberd working with policykit and SELinux enforcing, so I may drop the policy kit patch. If we do this, we can stop running it with /usr/bin/bash in the systemd unit.Īs noted in, I have written a new SELinux policy and submitted it to the fedora selinux-policy-contrib module: This is a good opportunity to write an SELinux policy for ejabberd. Ejabberd won't start with SELinux enforcing on Rawhide.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |