On 12/18/2013 04:46 PM, Jay Corrales wrote: > ls -Z shows system_u:object_r:awips_exec_t. If execute_no_trans allow > is add, it does not run in the awips_exec_t domain, but in user_t. Um, what is the file mode, i.e. is it executable? > > On 12/18/13, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On 12/17/2013 11:23 AM, Jay Corrales wrote: >>> Folks, >>> >>> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and >>> enforcing mode, and finding that something in our configuration prevents >>> a >>> simple shell script from domain transitioning from user_t to awips_t >>> context. If we run a test virtual machine with a new install of rhel5, it >>> does run OK, but something in our current configuration prevents this >>> result. Wondering if it makes sense to run a tool like apol to find any >>> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC >>> requiring execute_no_trans for user_t (no listed here). >> >> Here you say you have a execute_no_trans denial. >> >>> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p >>> execute >> >> Here you search for execute permission. >> >> They are different. >> >> Also, what does ls -Z show for the script? >> >> >> > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
