Hey,
anyone familiar with the oddjob service?
I have configured the dbus and oddjobd and wanted to test it.
While calling it with (as root):
dbus-send --system --dest=local.domain.oddjob_csc --print-reply /admin local.domain.shee.oddjob_csc.test string:test
I get: Error com.redhat.oddjob.Error.Exec: Child signalled exec() error: Permission denied.
and
type=SYSCALL msg=audit(1659709637.271:196): arch=c000003e syscall=59 success=no exit=-13 a0=55c9f28763d0 a1=55c9f286e0d0 a2=55c9f2870ee0 a3=0 items=0 ppid=4981 pid=6024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd" exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1659709637.271:196): avc: denied { transition } for pid=6024 comm="oddjobd" path="/usr/libexec/oddjob/sanity.sh" dev="dm-1" ino=15768 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
the configured test script is from the oddjob package:
<method name="test"> <helper exec="/usr/libexec/oddjob/sanity.sh" arguments="1"/> <allow user="root"/> </method>
As the AVC above shows, its a context transition that is not allowed?
How is this service supposed to be used? I suspect that the method call must be in a context by itself, but which one?
Any idea?
Thanks, Leon