How to execute a oneshot script during first boot (SELinux blocks it)

I’m bringing up a FCOS 33 box in AWS with an ignition script. As the machine boots it needs to collect a secret from AWS secrets manager and place the output in a file on the file system. Looking at the tutorials, I decided to approach this by creating a oneshot systemd unit which will execute a script placed in /usr/local/bin (called

However, when I start the box, the unit fails because SELinux blocks it:

 AVC avc:  denied  { execute } for  pid=3524 comm="(" name="" dev="xvda4" ino=8388740 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c540,c826 tclass=file permissive=0

My question is: what tools are at my disposal on a running FCOS box to translate that error into a policy change? More specifically, how can update the policies on that running box to enable that shell script to be run?

I think that once I know what policy works I should be able to get this enabled in the ignition script (I think there are a few examples on this forum and elsewhere on the Internet). My usual goto tool on this would clearly be audit2allow, but that (being python) is not on the box. Neither is semanage.

I should add that I’ve tried to use the toolbox to execute audit2allow but it won’t work against a binary policy.

I think I should have put this on ask rather than discussion. Sorry about that.

The general idea is that custom SELinux policy modules are not well supported right now (see this rpm-ostree issue) and you’re better off changing labels to work around those issues.

Could you post your Ignition config (with any secrets redacted)? A script written to /usr/local/bin shouldn’t be getting a container_file_t label.

1 Like