On 06/20/2016 09:24 PM, Juan Orti Alcaine wrote: > 2016-06-20 17:43 GMT+02:00 Jeremy Young <jrm16020@xxxxxxxxx>: >> execute_no_trans is a permission which allows for execution of a file >> without performing any transitions, executing it in the caller's domain >> instead. Adding that permission with a custom module should be ok. >> audit2allow is one way to generate that module. >> >> I think I'd still go with the first option I offered and set the SELinux >> context for your script in your unit file. > > I've discovered what happens here. > Looks like the NoNewPrivileges=true is blocking the domain transition. > After removing that directive, the service works as expected. Yes, it has been added to ensure that the service process and all its children can never gain new privileges. The problem is we don't have it working with SELinux Policy and we need to fix it. I am working on that. This is really a good catch. Thank you. > > This behavior is something new, as it worked in F23. Don't know if > it's intended or not. > > Thanks for your help. > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
