SELinux and systemd - unable to start Naemon

[llange]

TLDR; I'm proposing to remove the su from systemd unit file in order to make a first step towards running Naemon with SELinux.

Details:
On a fresh Red Hat Enterprise Linux release 8.3 (Ootpa) with Naemon installed (naemon-core-1.2.4-12.9.x86_64), and SELinux active (enforcing) I'm unable to start naemon.

# systemctl start naemon
Job for naemon.service failed because the control process exited with error code.
See "systemctl status naemon.service" and "journalctl -xe" for details.

while the systemctl information are not helpful, I narrowed it to the use of su in the systemd unit file:

SELinux is preventing /usr/bin/su from execute access on the file su.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
su default label should be ld_so_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v su

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that su should be allowed execute access on the su file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'su' --raw | audit2allow -M my-su
# semodule -X 300 -i my-su.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:su_exec_t:s0
Target Objects                su [ file ]
Source                        su
Source Path                   /usr/bin/su
Port                          <Unknown>
Host                          ****************
Source RPM Packages           systemd-239-41.el8_3.2.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.4.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ****************
Platform                      Linux ****************
                              4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Mar 25
                              14:36:04 EDT 2021 x86_64 x86_64
Alert Count                   13
First Seen                    2021-06-02 14:25:31 CEST
Last Seen                     2021-06-02 15:32:48 CEST
Local ID                      89dd43f1-3617-4c8e-9ad1-4d5e6bf8d894

Raw Audit Messages
type=AVC msg=audit(1622640768.739:169): avc:  denied  { execute } for  pid=1986501 comm="(su)" name="su" dev="dm-0" ino=101216924 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1622640768.739:169): arch=x86_64 syscall=execve success=no exit=EACCES a0=5598c3e09550 a1=5598c3e2e450 a2=5598c3e2e670 a3=7fe9be65bba0 items=0 ppid=1 pid=1986501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(su) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: su,init_t,su_exec_t,file,execute

while investigating further, I understood that the current systemd unit file wants to execute some of the ExecStartPre commands as root (mkdir, chown), and the last one as user naemon(the one --verify-config). This dates from commit 6235cd1 which explains the necessity to drop privileges asap.

However, as written, the current systemd unit file is not working (at least in my configuration) with SELinux - because of the use of su

I found that using a new syntax, introduced in systemd release 231 (Cf NEWS) could help us choosing which of the ExecStartPre commands are run with full privileges and which are going to be executed as User= (i.e. naemon) ; thus allowing us to get rid of su.

Meanwhile, the PermissionsStartOnly=true is now deprecated since systemd release 240 (Cf NEWS) and may be ignored in the future.

This is why I suggest the following changes to the unit file:

--- /BEFORE/naemon.service 2021-06-02 14:54:35.243853641 +0200
+++ /AFTER/naemon.service  2021-06-02 16:00:49.995738258 +0200
@@ -7,10 +7,9 @@
 EnvironmentFile=/etc/sysconfig/naemon
 Type=forking
 PIDFile=@lockfile@
-PermissionsStartOnly=true
-ExecStartPre=-/usr/bin/mkdir -p /var/run/naemon
-ExecStartPre=/usr/bin/chown -R naemon:naemon /var/run/naemon/
-ExecStartPre=/bin/su naemon --login --shell=/bin/sh "--command=@bindir@/naemon --verify-config @pkgconfdir@/naemon.cfg"
+ExecStartPre=-+/usr/bin/mkdir -p /var/run/naemon
+ExecStartPre=+/usr/bin/chown -R naemon:naemon /var/run/naemon/
+ExecStartPre=@bindir@/naemon --verify-config @pkgconfdir@/naemon.cfg
 ExecStart=@bindir@/naemon --daemon @pkgconfdir@/naemon.cfg
 ExecReload=/bin/kill -HUP $MAINPID
 User=naemon

The downside, of course, is the lack of compatibility with systemd < 231.

If there is interest, I can make a PR.

Note: please understand that this change was not enough for me to run Neamon with SELinux. It's just a first step.

[sni]

We have some dirty hacks in the spec file already to make the service file work with ex. sles:
https://github.com/naemon/naemon-core/blob/master/naemon-core.spec#L154-L157
However, i'd recommend to first find out whats necessary to get it running with selinux and then see how we can implement that
while maintaining backwards compatibility. (right now we still build packages for rhel6)