Folks,
We think we've run into a bug with rhel5. Could be that the policy database contains corruption, or contains some data structures that lead to buggy results (e.g. AVC execute_no_trans). Is there a way to see additional debug info in the LSM during run time? I've tried adding "debug" to the boot time kernel parameters, but does not add any new logging or reporting info for selinux.
Thanks
On Tue, Dec 17, 2013 at 2:51 PM, Jay Corrales <jscorrales1122@xxxxxxxxx> wrote:
lx_apps_script_exec_t is how it is in the lab. awips_exec_t is the reduced example posted.
On Tue, Dec 17, 2013 at 10:15 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On 12/17/2013 01:03 PM, Jay Corrales wrote:I don't understand how to correlate this to the policy you listed.
> type=AVC msg=audit(1387301151.195:82549): avc: denied { execute_no_trans }
> for pid=24492 comm="bash" path="/awips/fxa/bin/test.sh" dev=sda2 ino=800003
> scontext=user_u:user_r:user_t:s0
> tcontext=system_u:object_r:lx_apps_script_exec_t:s0 tclass=file
The tcontext above has the script labeled with lx_apps_script_exec_t,
while your policy had it as awips_exec_t.
Also, as a side note, domain transition on a shell script is
fundamentally unsafe unless the caller is strictly more trusted than the
callee. Only suitable when the caller is trusted. Use a binary
executable for any situation where the caller is untrusted.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
