pythonselinux

running python script under httpd_t SELinux context


I have a python script, running as a systemd unit, that I need to run in the httpd_t SELinux context under the nginx user, I have tried using runcon but it says that the transition is not allowed and if I allow the transition using audit2allow it then denies the python3 entry point and I am not willing to give httpd_t access to bin_t. Is there any way to do this?


Solution

  • I ended up just writing a custom policy that allows unconfined_service_t to transition to httpd_t and using a shebang indicating the the script was a python script to not need to specify /usr/bin/python3 in the ExecStart command thus eliminating my bin_t issues.