How to execute a oneshot script during first boot (SELinux blocks it)

I’m bringing up a FCOS 33 box in AWS with an ignition script. As the machine boots it needs to collect a secret from AWS secrets manager and place the output in a file on the file system. Looking at the tutorials, I decided to approach this by creating a oneshot systemd unit which will execute a script placed in /usr/local/bin (called getkey.sh).

However, when I start the box, the unit fails because SELinux blocks it:

 AVC avc:  denied  { execute } for  pid=3524 comm="(etkey.sh)" name="getkey.sh" dev="xvda4" ino=8388740 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:container_file_t:s0:c540,c826 tclass=file permissive=0

My question is: what tools are at my disposal on a running FCOS box to translate that error into a policy change? More specifically, how can update the policies on that running box to enable that shell script to be run?

I think that once I know what policy works I should be able to get this enabled in the ignition script (I think there are a few examples on this forum and elsewhere on the Internet). My usual goto tool on this would clearly be audit2allow, but that (being python) is not on the box. Neither is semanage.

I should add that I’ve tried to use the toolbox to execute audit2allow but it won’t work against a binary policy.

2 Likes

I should note that I have subsequently fixed the underlying problem with my ignition script. So now the script will execute (it gets the correct bin_t instead of container_file_t). However, my question still stands: what tooling does FCOS provide for managing the selinux policy?

As most SELinux development tools require Python and Python is not installed by default on Fedora CoreOS, there are no SELinux development tools installed by default. You can overlay those tools at runtime for development using rpm-ostree install .... Another option would be rewriting those tools in another compiled language to make them available in Fedora CoreOS.