0

I'm trying to deploy jupyterhub on centos 7 with selinux enabled. I choose sudospawner for creating new jupyter notebook servers. When i try to login to jupyterhub, selinux logs the following error an no process is spawned:

python3.4[17888]: pam_selinux(login:session): Error sending audit message.
python3.4[17888]: pam_keyinit(login:session): Unable to change GID to 1000 temporarily
python3.4[17888]: pam_keyinit(login:session): Unable to change GID to 1000 temporarily
dbus[633]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.1187" (uid=1003 pid=17888 comm="/usr/bin/python3.4 /usr/bin/jupyterhub ") interface="org.freedesktop.login1.Manager" member="CreateSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=632 comm="/usr/lib/systemd/systemd-logind ")
dbus-daemon[633]: dbus[633]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.1187" (uid=1003 pid=17888 comm="/usr/bin/python3.4 /usr/bin/jupyterhub ") interface="org.freedesktop.login1.Manager" member="CreateSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=632 comm="/usr/lib/systemd/systemd-logind ")
python3.4[17888]: pam_systemd(login:session): Failed to create session: Access denied

I get this error even when i start jupyterhub as root. When I disable selinux, everything works fine.

How can I configure selinux that sudospawner can set the uid and start a notebook-server in the user context?

1 Answers1

0

The first thing you need to do is gather all the relevant SELinux messages. Put your system into permissive mode

setenforce 0

Use the application as you would normally and then take a look at the SELinux related messages in /var/log/audit/audit.log*

grep denied /var/log/audit/audit.log*

You can pass the results to various utilities to get some sense of what is required

grep denied /var/log/audit/audit.log* | audit2why

Analysing that can be helpful. It may suggest you configure various booleans. You may also want to run the results through audit2allow

grep denied /var/log/audit/audit.log* | audit2allow

This will also tell you what you need to do. You can create a local module

grep denied /var/log/audit/audit.log* | audit2allow -M local-module

and then use it 

semodule -i local-module.pp

Don't forget to set SELinux back to enforcing.

user9517
  • 115,471
  • 20
  • 215
  • 297