0

I have built a Rocky Linux (9.1) Virtual machine, and I am having permission problems with some of the files. Note also (after looking at the linked 'similar questions'), this is a local mount, not NFS or anything remote.

The anonymised permissions for the files are this: -r--r--r--. 1 engineer myadmin <filesize> <date> filename.jar

For the SE Linux context: unconfined_u:object_r:defailt_t:s0 filename.jar

Running id for the user provides this output: uid=1001(engineer) gid=1002(myadmin) groups=1002(myadmin),1001(engineer) context=unconfirmed_u:unconfirmed_r_unconfirmed_t:s0

Any attempt to read the file is met with: cannot open 'filename.jar' for reading: Operation not permitted

I have tried looking at file permissions, mount options, SE Linux permissions, and user groups. I expect that the user engineer should be able to read the file.

Mount options for the drive are: rw,seclabel,relatime

All attempts to read files result in Operation not permitted.

What am I missing?

Additional info, as requested in a comment:

The results from journalctl -n 100 are:

<timestamp> <hostname> login[<pid>]: pam_unix(login:session): session opened for user engineer(uid=1001) by engineer(uid=0) <timestamp> <hostname> login[<pid>]: LOGIN ON pts/1 BY engineer

dmesg provides no information regarding attempts to open files.

SE Linux is present, but is in permissive mode, so shouldn't be restricting anything anyway.

Improve this question
2
  • "Operation not permitted" (as opposed to "Permission denied") indicates something along the lines of MAC denial (SELinux or AppArmor); can you check dmesg or journalctl -n 100 to see if it has logged any audit errors? Commented Aug 7, 2023 at 5:09
  • @u1686_grawity I have added more details to the question, specifically the output of journalctl (dmesg provided nothing of use) Commented Aug 7, 2023 at 5:19

1 Answer 1

Reset to default
0

It wasn't selinux preventing access, but fapolicyd. Specifically, it was a rule which specified deny_audit perm=any all: ftype=application/java-archive

Solution:

  • systemctl stop fapolicyd (to disable the file access policy from applying)
  • run fapolicyd --debug-deny (to show access which is disallowed)
  • attempt to open a file which previously indicated Operation not permitted
  • observe which rule it violates
  • carefully read the manpage for fapolicy.rules(5), and construct a new rule file allowing the group or user to open java archives (.jar files), and also java applets (.class files)
  • run fagenrules --load to install the newly created rule
  • stop and restart fapolicy --debug-deny
  • attempt to open the same file as above, and actually open it (with no logged rule)
  • cheer, or fist-pump, to indicate that I know how to fix my problems (this step is optional)
  • restart fapolicyd with the command systemctl enable --now fapolicyd
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.