Hi, I'm getting AVC denied with a nagios nrpe script which needs to sudo. The script works fine without selinux. I'm on FC4. nrpe is the remote execution feature in nagios. It runs under xinetd and accepts incoming commands. It then runs scripts to fetch results. My script to get harddisk smart attributes looks like so: ========== #!/bin/sh device="$1" attribute="$2" #id sudo /usr/sbin/smartctl -A $device | perl -ne 'm{^\s*\Q'"$attribute"'\E \s} && split && print "$_[9]"' ========== During execution of the script id returns: uid=173(nagios) gid=173(nagios) context=system_u:system_r:inetd_t But I get this avc denial: type=AVC msg=audit(1138482709.249:31780): avc: denied { entrypoint } for pid=11537 comm="sudo" name="sesh" dev=dm-0 ino=442643 scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t tclass=file Seems reasonable. There don't seem to be any booleans for nrpe but there is inetd_child_disable_trans. With that set id gives: uid=173(nagios) gid=173(nagios) context=root:system_r:inetd_t But I get the same denial: type=AVC msg=audit(1138485617.391:32037): avc: denied { entrypoint } for pid=14228 comm="sudo" name="sesh" dev=dm-0 ino=442643 scontext=root:system_r:amanda_t tcontext=system_u:object_r:shell_exec_t tclass=file I've no idea what amanda_t has got to do with any of this. Am I missing something obvious? It seems to be running in the new context, but still be protected. The inetd_child_disable_trans is described in system-config-securitylevel as "Disable SELinux protection for inetd child daemons", which is what I seem to need. I also notice that the current policy has some nrpe stuff in it, but that doesn't ever seem to take effect. Is this incomplete, or broken? Cheers, Martin. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list