On Tue, 2013-03-19 at 12:40 -0400, Daniel Neuberger wrote: > On Tue, Mar 19, 2013 at 11:50 AM, Dominick Grift > <dominick.grift@xxxxxxxxx> wrote: > > Domain type transitions happen on execve. So you need to make sure that > > both the init script as well as the syslog executable file are labeled > > properly. > > > > its like this: > > > > init_t -> initrc_exec_t -> initrc_t -> syslog_exec_t -> syslogd_t > > > > You seem to be hanging at initrc_t so i suspect that your syslog > > executable file is mislabeled. > > > > Verify the syslogd init script file and see what it runs when it starts > > syslog, then see if that file has a proper label. > > Thanks Dominick. The file run by the syslogd init script has the > proper label, but I realized that the init script itself was labeled > initrc_t instead of sylogd_script_exec_t, but fixing that still didn't > help: > > [root@foo ~]$ chcon system_u:object_r:syslogd_script_exec_t:s0 > /etc/init.d/syslog-ng > [root@foo ~]$ ls -Z /etc/init.d/syslog-ng /opt/syslog-ng/sbin/syslog-ng > -rwxr-xr-x root root system_u:object_r:syslogd_script_exec_t:s0 > /etc/init.d/syslog-ng > -rwxr-xr-x root root system_u:object_r:syslogd_exec_t:s0 > /opt/syslog-ng/sbin/syslog-ng > [root@foo ~]$ run_init /etc/init.d/syslog-ng restart > Authenticating foobar. > Password: > Restarting syslog-ng: Stopping syslog-ng: [ OK ] > Starting syslog-ng: [ OK ] > [root@foo ~]$ ps -efZ | grep syslog > user_u:system_r:initrc_t:s0 root 7199 1 0 16:30 ? > 00:00:00 supervising syslog-ng > user_u:system_r:initrc_t:s0 root 7200 7199 0 16:30 ? > 00:00:00 /opt/syslog-ng/sbin/syslog-ng --no-caps > > I agree with your diagnosis, but fixing the labeling doesn't seem to > help. Any other ideas? > Stephen has a good suggestion. See if your /opt is mounted with nosuid. If it is then it cannot domain type transition. > Thanks. > > - Daniel -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
