Nginx - running python script under httpd_t SELinux context

supercrazylash
August 22, 2023
160 views
1 vote
2 Answers

I have a python script, running as a systemd unit, that I need to run in the httpd_t SELinux context under the nginx user, I have tried using runcon but it says that the transition is not allowed and if I allow the transition using audit2allow it then denies the python3 entry point and I am not willing to give httpd_t access to bin_t. Is there any way to do this?

Tags: python selinux

Answers

Chosen as BEST ANSWER
- supercrazylash
- August 22, 2023 at 2:42 am
- 0 votes
0
I ended up just writing a custom policy that allows unconfined_service_t to transition to httpd_t and using a shebang indicating the the script was a python script to not need to specify /usr/bin/python3 in the ExecStart command thus eliminating my bin_t issues.

(Edit)

- setenforce1
- August 21, 2023 at 2:34 pm
- 0 votes
0
init_t can execute httpd_exec_t, and httpd_exec_t can transition to httpd_t.
So you should be able to do what you want with:
```
semanage fcontext -a -t httpd_exec_t '/usr/bin/yourscript.py'
restorecon -RF /usr/bin/yourscript.py
```
You might need some booleans too, you’ll see if it is needed with audit2allow -a.

ref. 1, 2, 3
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Nginx – running python script under httpd_t SELinux context

Answers