selinux process transition not taking place
Stephen Smalley
sds at tycho.nsa.gov
Mon May 18 19:33:02 UTC 2015
On 05/18/2015 03:26 PM, SZIGETVÁRI János wrote:
> Yes, both executables in this case are shell scripts, so you're most
> likely right. (*)
>
> The original scenario seems different though, as the following
> conditions are met there:
> -- there is an init script with the context syslogd_initrc_exec_t, which
> calls a
> -- symlink under /opt/<product>/sbin which has the context of bin_t, and
> is a reference for the
> -- binary executable /opt/<product>/libexec/<executable> which has a
> context of syslogd_exec_t.
>
> Normally this setup works just fine, but one of our customers
> encountered a situation where the daemon is stuck as initrc_t.
> We have tried verifying every little detail, but we failed to spot any
> differences between their environment, where the problem persists, and
> ours, where everything works fine.
>
>
> (*) I think, I will write a short C program in order to find out whether
> this was in deed the main reason why my demo script failed to transition
> to syslogd_t.
You don't need a C program; you just need to make sure the scripts are
executable and directly invoke them rather than calling them via bash.
Then they are passed to execve() and the kernel will set up the domain
transition before invoking bash.
More information about the selinux
mailing list