OnDemand SELinux - additional permissions?

This post is a long-delayed follow up to Permission denied rb_file_s_lstat with SELinux and local home directories.

I’m running OnDemand on Rocky Linux 8 with local (i.e. non-NFS) home folders on the OnDemand server and connected to fairly standard small Slurm cluster. I’ve already set the ondemand_manage_user_home_dir=1 and ondemand_use_nfs=0 SE booleans.

Based on my testing this week, the following additional SELinux permissions are required (presented here in the form of a readable policy):

require {
        type ood_pun_t;
        type user_home_t;
        type user_home_dir_t;
        type net_conf_t;
        type httpd_t;
        class lnk_file { read create getattr setattr };
        class dir {getattr read};
        class file { ioctl open read };
        class capability net_admin;
        type faillog_t;                                                                                                        
        type sssd_conf_t
}

#============= ood_pun_t ==============
allow ood_pun_t net_conf_t:lnk_file read;
allow ood_pun_t user_home_dir_t:lnk_file { read create getattr setattr };
allow ood_pun_t user_home_t:dir read;
allow ood_pun_t user_home_t:file { read ioctl open };

#============= httpd_t ==============
allow httpd_t self:capability net_admin;
allow httpd_t faillog_t:dir write;
allow httpd_t sssd_conf_t:file read;

In addition, I also needed to set sudo setsebool -P domain_can_mmap_files 1.

I don’t know if these additional permissions are more generally applicable - perhaps the developers can comment.

Many thanks!

The things that got denied using httpd_t shouldn’t be related to OnDemand directly as OnDemand runs via the PUN (Per-User-NGINX) and that entire stack is forced to be ood_pun_t. There could be situations where Apache is doing things that might otherwise be denied but none of those httpd_t allowances look related to local home directories and might just be normal things that Apache gets denied doing when SELinux is enabled.

The ondemand_manage_user_home_dir boolean has allowances for the user_home_dir_t labeled locations. I would be interested to know what in your local home directories are using user_home_t and if that’s the correct context, ie if you do restorecon -n -v on those paths, does the context show it will change?

The ood_pun_t allowance for net_conf_t looks unrelated to local home directories so the actual audit log denial for that would be needed so hopefully better understand what denial is happening.