On 05/03/2010 09:31 AM, Stephen Smalley wrote:
On Sun, 2010-05-02 at 21:54 -0700, Justin Mattock wrote:I've been racking my brain for the last few days on this one, and seem(for the life of me), have no solution. at first thought this was opensuse specific, but it's not i.g. my cblfs systems hit this as well(if not all systems at that). when adding /etc/initscript somehow SELinux can't figure how to transistion with the whole SHELL -c thing. under init.c #800(sysvinit-2.85) the code is this: /* See if there is an "initscript" (except in single user mode). */ if (access(INITSCRIPT, R_OK) == 0&& runlevel != 'S') { /* Build command line using "initscript" */ args[1] = SHELL; args[2] = INITSCRIPT; args[3] = ch->id; args[4] = ch->rlevel; args[5] = "unknown"; for(f = 0; actions[f].name; f++) { if (ch->action == actions[f].act) { args[5] = actions[f].name; break; } } any ideas why SELinux gets confused with this, and doesn't want to transistion?In the above code, you are exec'ing the shell and just passing the script as an argument, not exec'ing the script. So you need a domain transition on the shell rather than the script, or you need to perform a setexecon() in the code.
Thanks for the info on this.. I'll have a look at seeing how todo this (I enjoy the challenge). As an example on setexecon() I was looking at the sulogin.c patch for SELinux, but still need to figure out how to actually do this. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
