<div dir="ltr"><div><div><div><div><div><div><div>Yes, both executables in this case are shell scripts, so you're most likely right. (*)<br><br></div>The original scenario seems different though, as the following conditions are met there:<br></div>-- there is an init script with the context syslogd_initrc_exec_t, which calls a<br></div>-- symlink under /opt/<product>/sbin which has the context of bin_t, and is a reference for the<br></div>-- binary executable /opt/<product>/libexec/<executable> which has a context of syslogd_exec_t.<br><br></div>Normally this setup works just fine, but one of our customers encountered a situation where the daemon is stuck as initrc_t.<br></div>We have tried verifying every little detail, but we failed to spot any differences between their environment, where the problem persists, and ours, where everything works fine.<br><br><br></div>(*) I think, I will write a short C program in order to find out whether this was in deed the main reason why my demo script failed to transition to syslogd_t.<br><div><div><div><div><div><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-18 20:34 GMT+02:00 Stephen Smalley <span dir="ltr"><<a href="mailto:sds@tycho.nsa.gov" target="_blank">sds@tycho.nsa.gov</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 05/15/2015 04:30 AM, SZIGETVÁRI János wrote:<br>
> Hello Again,<br>
><br>
> I have managed to reproduce the problem on CentOS 7 as well, but due to<br>
> the exlusion of the run_init command, the script needed a bit of<br>
> tailoring as well.<br>
> I have attached the modified script. (To make up for the "lost"<br>
> run_init, the script has to have the<br>
> "system_u:object_r:run_init_exec_t:s0" context.)<br>
> Anyway, the problem's solution is more pressing on CentOS 6, so any help<br>
> or hints would be appreciated.<br>
<br>
</div></div>Sorry, it looks like you are running the equivalent of:<br>
bash /path/to/script<br>
in each of your scripts.<br>
<br>
Which means exec bash and have it open the script file and read it, then<br>
interpret it. So we never call execve() on the script file and thus we<br>
never perform a domain transition. Is that what you were doing in your<br>
original situation too?<br>
<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">Janos SZIGETVARI<br><br>E-mail: <a href="mailto:jszigetvari@gmail.com" target="_blank">jszigetvari@gmail.com</a><br>Phone: +36209440412 (Hungary)<br><br>__@__˚V˚<br>Make the switch to open (source) applications, protocols, formats now:<br>- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice.org<br>- msn -> jabber protocol (Pidgin, Google Talk)<br>- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div></div></div></div></div></div>
</div></div></div></div>