I’m bringing up a FCOS 33 box in AWS with an ignition script. As the machine boots it needs to collect a secret from AWS secrets manager and place the output in a file on the file system. Looking at the tutorials, I decided to approach this by creating a oneshot systemd unit which will execute a script placed in /usr/local/bin
(called getkey.sh
).
However, when I start the box, the unit fails because SELinux blocks it:
AVC avc: denied { execute } for pid=3524 comm="(etkey.sh)" name="getkey.sh" dev="xvda4" ino=8388740 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c540,c826 tclass=file permissive=0
My question is: what tools are at my disposal on a running FCOS box to translate that error into a policy change? More specifically, how can update the policies on that running box to enable that shell script to be run?
I think that once I know what policy works I should be able to get this enabled in the ignition script (I think there are a few examples on this forum and elsewhere on the Internet). My usual goto tool on this would clearly be audit2allow
, but that (being python) is not on the box. Neither is semanage
.
I should add that I’ve tried to use the toolbox to execute audit2allow
but it won’t work against a binary policy.