-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/12/2013 02:48 AM, Michael Ludvig wrote: > Hi > > I've got RHEL6 server with the targeted SElinux enabled. I'm running a > script /usr/local/sbin/check-hp-smartarray.pl from snmpd. The script > executes and tries to invoke /usr/sbin/hpacucli and that's where the > problems begin. > > First of all /usr/sbin/hpacucli runs /opt/compaq/hpacucli/bld/.hpacucli - > that failed because the context of the file was system_u:object_r:usr_t:s0 > - I changed that to bin_t and got a bit further. Now hpacucli fails because > it can't write some temporary files. Probably because it runs under snmpd_t > that isn't allowed to write there. > > I don't want to turn off SELinux completely and I don't really agree with > the solutions suggested by audit2allow (essentially it lets snmpd_t execute > everything and write everywhere). > > I tried "sudo /usr/sbin/hpacucli" with this sudoers line: > > root ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL > > but when that is ran from snmpd it fails with "sudo: unable to open audit > system: Permission denied" > > Then I tried "runcon root:system_r:unconfined_t:s0-s0:c0.c1023 > /usr/bin/hpacucli" and although from the shell it runs fine from snmp > script it fails with: "runcon: invalid context: > root:system_r:unconfined_t:s0-s0:c0.c1023: Permission denied" > > Is there any way to run /usr/sbin/hpacucli as unconfined_t from snmpd or > somehow disable selinux for just that one program? > > Thanks! > > Michael > > > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Can you attach the original avc messages that you got after setting the context to bin_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFoK1wACgkQrlYvE4MpobPvDACeNU9ia+ToMbk4Rud+ZJFeD5RD eJcAoN4QviCfYr7Uhz7Cv6YmKbJ0GiB+ =Lyo6 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
