OnDemand SELinux - additional permissions?

This post is a long-delayed follow up to Permission denied rb_file_s_lstat with SELinux and local home directories.

I’m running OnDemand on Rocky Linux 8 with local (i.e. non-NFS) home folders on the OnDemand server and connected to fairly standard small Slurm cluster. I’ve already set the ondemand_manage_user_home_dir=1 and ondemand_use_nfs=0 SE booleans.

Based on my testing this week, the following additional SELinux permissions are required (presented here in the form of a readable policy):

require {
        type ood_pun_t;
        type user_home_t;
        type user_home_dir_t;
        type net_conf_t;
        type httpd_t;
        class lnk_file { read create getattr setattr };
        class dir {getattr read};
        class file { ioctl open read };
        class capability net_admin;
        type faillog_t;                                                                                                        
        type sssd_conf_t

#============= ood_pun_t ==============
allow ood_pun_t net_conf_t:lnk_file read;
allow ood_pun_t user_home_dir_t:lnk_file { read create getattr setattr };
allow ood_pun_t user_home_t:dir read;
allow ood_pun_t user_home_t:file { read ioctl open };

#============= httpd_t ==============
allow httpd_t self:capability net_admin;
allow httpd_t faillog_t:dir write;
allow httpd_t sssd_conf_t:file read;

In addition, I also needed to set sudo setsebool -P domain_can_mmap_files 1.

I don’t know if these additional permissions are more generally applicable - perhaps the developers can comment.

Many thanks!

The things that got denied using httpd_t shouldn’t be related to OnDemand directly as OnDemand runs via the PUN (Per-User-NGINX) and that entire stack is forced to be ood_pun_t. There could be situations where Apache is doing things that might otherwise be denied but none of those httpd_t allowances look related to local home directories and might just be normal things that Apache gets denied doing when SELinux is enabled.

The ondemand_manage_user_home_dir boolean has allowances for the user_home_dir_t labeled locations. I would be interested to know what in your local home directories are using user_home_t and if that’s the correct context, ie if you do restorecon -n -v on those paths, does the context show it will change?

The ood_pun_t allowance for net_conf_t looks unrelated to local home directories so the actual audit log denial for that would be needed so hopefully better understand what denial is happening.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.