@bdangit is your supervisor running? hab svc load
omits that connection refused
error when I've forgotten to start the supervisor. In the event it's started, continue on reading...
@maraaaa @bdangit can you post the output of the following please:
( ausearch -c 'hab-sup' --raw; ausearch -c 'hab' -c 'hab-launch' --raw; ausearch -c 'hab' --raw )
Message begins:
Ok, so I got a new laptop today! You know the deal, friend of a friend got a new laptop didn't need the old one... of course I can make use of it... which, I mean...
So anyway, first thing I do is blow away windows and put linux on it. On a whim I threw FC28 on it. (we can discuss at length why I chose Fedora in a PM )
In setting it up, I install habitat and am trying to run it. My experience is similar to the OP. I'm able to hab sup run
but when I try to run it as a systemd service, all sorts of AVC denials. (I'll see if I can't come up with a good report... the way hab tries to restart services generated a lot of the same message...! Screenshot%20from%202018-08-26%2003-32-46|690x315
Probably flawed... but I basically ran this:
until systemctl status hab; do
systemctl start hab;
(
ausearch -c 'hab-sup' --raw;
ausearch -c 'hab' -c 'hab-launch' --raw;
ausearch -c 'hab' --raw
) | audit2allow -M hab-svc-load;
wc -l hab-svc-load.te;
semodule -X 300 -i hab-svc-load.pp;
done
# actually, I just did it as a oneliner, I'm not sure if that ^ will run...
# until systemctl status hab; do systemctl start hab; ( ausearch -c 'hab-sup' --raw; ausearch -c 'hab' -c 'hab-launch' --raw; ausearch -c 'hab' --raw ) | audit2allow -M hab-svc-load; wc -l hab-svc-load.te; semodule -X 300 -i hab-svc-load.pp; done
And came up with this:
# cat my-hab.te
module my-hab 1.0;
require {
type tmp_t;
type init_t;
type default_t;
type http_port_t;
class sock_file { create write };
class file { create execute execute_no_trans map open read rename setattr unlink write };
class lnk_file read;
class dir { create rename reparent rmdir setattr };
class tcp_socket name_connect;
}
#============= init_t ==============
#!!!! This avc is allowed in the current policy
allow init_t default_t:dir { create rename reparent rmdir setattr };
#!!!! This avc is allowed in the current policy
allow init_t default_t:file { create execute execute_no_trans map open read rename setattr unlink write };
#!!!! This avc is allowed in the current policy
allow init_t default_t:lnk_file read;
#!!!! This avc is allowed in the current policy
allow init_t http_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy
allow init_t tmp_t:sock_file { create write };
Then I tried a hab svc load
and received another error, another iteration of search came up with the below diff.
# diff *.te
2c2
< module hab-svc-load 1.0;
---
> module my-hab 1.0;
5d4
< type init_t;
6a6
> type init_t;
10d9
< class process setpgid;
30d28
< allow init_t self:process setpgid;
I am not an SELinux expert, so I think finding one and running this type enforcement by them would be a good idea before anyone just goes running it...
But I think this should work for anyone:
wget https://gist.github.com/qubitrenegade/0ae199d6369637ba9eb0116ac551ab98 -o my-hab.te
checkmodule -M -m -o my-hab.mod my-hab.te
semodule_package -o my-hab.pp -m my-hab.mod
semodule -X 300 -i hab-svc-load.pp
Now, after doing this, I still can't run core/docker
(because file not found?) and trying to run core/consul
gives me a DIFFERENT SELinux error (this time for the consul
process).
So I think there's something around the /hab
filesystem that we could clean up? Maybe a SELinux policy that says "any 'hab' program can do whatever in /hab
" but without, you know, invalidating the entire purpose of SELinux? lol.
I think I get what's going on? SELinux is trying to say "/bin/hab
is linked to some random binary, we can't trust that"... I'm not so sure on how we say "hey SELinux, it's k"...
(@elliott-davis psssst as this is portable and might leave my home, I'm pro SELinux too! )
Oh, and! I run CentOS at work and have not run into this...