Sorry for the top posting. If you want disable selinux only for a specific domain you can define this as a permissive domain , in recent distros. Or in old distro, set the selinux boolean for not do the selinux domain transition. As an example , the first solution could be applied in rhel6 , the second in rhel5. Best 2013/4/12, Michael Ludvig <mludvig@xxxxxxxxxxxx>: > Hi > > I've got RHEL6 server with the targeted SElinux enabled. I'm running a > script /usr/local/sbin/check-hp-smartarray.pl from snmpd. The script > executes and tries to invoke /usr/sbin/hpacucli and that's where the > problems begin. > > First of all /usr/sbin/hpacucli runs /opt/compaq/hpacucli/bld/.hpacucli > - that failed because the context of the file was > system_u:object_r:usr_t:s0 - I changed that to bin_t and got a bit > further. Now hpacucli fails because it can't write some temporary files. > Probably because it runs under snmpd_t that isn't allowed to write there. > > I don't want to turn off SELinux completely and I don't really agree > with the solutions suggested by audit2allow (essentially it lets snmpd_t > execute everything and write everywhere). > > I tried "sudo /usr/sbin/hpacucli" with this sudoers line: > > root ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r NOPASSWD: ALL > > but when that is ran from snmpd it fails with "sudo: unable to open > audit system: Permission denied" > > Then I tried "runcon root:system_r:unconfined_t:s0-s0:c0.c1023 > /usr/bin/hpacucli" and although from the shell it runs fine from snmp > script it fails with: > "runcon: invalid context: root:system_r:unconfined_t:s0-s0:c0.c1023: > Permission denied" > > Is there any way to run /usr/sbin/hpacucli as unconfined_t from snmpd or > somehow disable selinux for just that one program? > > Thanks! > > Michael > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- Inviato dal mio dispositivo mobile -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
