Orion Poplawski wrote:
Daniel J Walsh wrote:
Orion Poplawski wrote:
I'm running SGE (Sun Grid Engine) and the daemon is now starting up
in the initrc_t domain. I really need it to be unconfined (I
believe) as it can really do just about anything. How can I do this?
In targeted policy initrc_t is unconfined. I believe you could also
chcon -t unconfined_exec_t DAEMONPATH
to get the transition
Okay, so the problem is with execmod then:
audit(1144077767.717:1841): avc: denied { execmod } for pid=30457
comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
and:
audit(1144077181.455:932): avc: denied { execmod } for pid=27638
comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:default_t:s0 tclass=file
I'm trying to build HDF5-1.7.52 and this is happening during the
make-check phase. The first is doing an rpmbuild as a normal user.
The second is with mock started by SGE.
You can turn off this check by setting allow_execmod boolean.
setsebool -P allow_execmod=1
Or you can label these files with textrel_shlib_t
chcon -t textrel_shlib_t libhdf5.so.1.2.1
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
