On Tue, Mar 19, 2013 at 11:50 AM, Dominick Grift <dominick.grift@xxxxxxxxx> wrote: > Domain type transitions happen on execve. So you need to make sure that > both the init script as well as the syslog executable file are labeled > properly. > > its like this: > > init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t > > You seem to be hanging at initrc_t so i suspect that your syslog > executable file is mislabeled. > > Verify the syslogd init script file and see what it runs when it starts > syslog, then see if that file has a proper label. Thanks Dominick. The file run by the syslogd init script has the proper label, but I realized that the init script itself was labeled initrc_t instead of sylogd_script_exec_t, but fixing that still didn't help: [root@foo ~]$ chcon system_u:object_r:syslogd_script_exec_t:s0 /etc/init.d/syslog-ng [root@foo ~]$ ls -Z /etc/init.d/syslog-ng /opt/syslog-ng/sbin/syslog-ng -rwxr-xr-x root root system_u:object_r:syslogd_script_exec_t:s0 /etc/init.d/syslog-ng -rwxr-xr-x root root system_u:object_r:syslogd_exec_t:s0 /opt/syslog-ng/sbin/syslog-ng [root@foo ~]$ run_init /etc/init.d/syslog-ng restart Authenticating foobar. Password: Restarting syslog-ng: Stopping syslog-ng: [ OK ] Starting syslog-ng: [ OK ] [root@foo ~]$ ps -efZ | grep syslog user_u:system_r:initrc_t:s0 root 7199 1 0 16:30 ? 00:00:00 supervising syslog-ng user_u:system_r:initrc_t:s0 root 7200 7199 0 16:30 ? 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps I agree with your diagnosis, but fixing the labeling doesn't seem to help. Any other ideas? Thanks. - Daniel -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
