On 05/18/2015 03:26 PM, SZIGETVÁRI János wrote:
Yes, both executables in this case are shell scripts, so you're
most
likely right. (*)
The original scenario seems different though, as the following
conditions are met there:
-- there is an init script with the context syslogd_initrc_exec_t, which
calls a
-- symlink under /opt/<product>/sbin which has the context of bin_t, and
is a reference for the
-- binary executable /opt/<product>/libexec/<executable> which has a
context of syslogd_exec_t.
Normally this setup works just fine, but one of our customers
encountered a situation where the daemon is stuck as initrc_t.
We have tried verifying every little detail, but we failed to spot any
differences between their environment, where the problem persists, and
ours, where everything works fine.
(*) I think, I will write a short C program in order to find out whether
this was in deed the main reason why my demo script failed to transition
to syslogd_t.
Also, the most likely explanation for the scenario above is that the
customer has the filesystem containing
/opt/<product>/libexec/<executable> mounted with nosuid.