Hey,
anyone familiar with the oddjob service?
I have configured the dbus and oddjobd and wanted to test it.
While calling it with (as root):
dbus-send --system --dest=local.domain.oddjob_csc --print-reply /admin
local.domain.shee.oddjob_csc.test string:test
I get:
Error com.redhat.oddjob.Error.Exec: Child signalled exec() error:
Permission denied.
and
type=SYSCALL msg=audit(1659709637.271:196): arch=c000003e syscall=59
success=no exit=-13 a0=55c9f28763d0 a1=55c9f286e0d0 a2=55c9f2870ee0 a3=0
items=0 ppid=4981 pid=6024 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="oddjobd"
exe="/usr/sbin/oddjobd" subj=system_u:system_r:oddjob_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(1659709637.271:196): avc: denied { transition } for
pid=6024 comm="oddjobd" path="/usr/libexec/oddjob/sanity.sh"
dev="dm-1" ino=15768 scontext=system_u:system_r:oddjob_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=process permissive=0
the configured test script is from the oddjob package:
<method name="test">
<helper exec="/usr/libexec/oddjob/sanity.sh"
arguments="1"/>
<allow user="root"/>
</method>
As the AVC above shows, its a context transition that is not allowed?
How is this service supposed to be used? I suspect that the method call
must be in a context by itself, but which one?
Any idea?
Thanks,
Leon