Ah OK, nosuid was the answer. I did read this somewhere, but fell out of mind. Thank you On 12/18/13, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 12/18/2013 04:53 PM, Jay Corrales wrote: >> On 12/18/13, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>> On 12/18/2013 10:32 AM, Jay Corrales wrote: >>>> Folks, >>>> >>>> We think we've run into a bug with rhel5. Could be that the policy >>>> database contains corruption, or contains some data structures that >>>> lead >>>> to buggy results (e.g. AVC execute_no_trans). Is there a way to see >>>> additional debug info in the LSM during run time? I've tried adding >>>> "debug" to the boot time kernel parameters, but does not add any new >>>> logging or reporting info for selinux. >>> >>> More likely just a bug in your policy. I can't really tell though as >>> you haven't shown an AVC that corresponds to the policy that you listed. >> >> We restored an image of our previous build and ran the policy. There >> was no perm denied error. It ran perfectly. The difference in builds >> represents an installer media and updated policies. leading me to >> believe there is something fundamentally wrong with the installer >> media producing a corrupted policy database. >> >> Is there a way to know why it is reporting an AVC for >> execute_no_trans? The audit.log does not show enough info for this. We >> were hoping for some way to look at the LSM, other than running an >> embedded kernel and attaching gdb. > > nosuid mount would suppress the transition. > > Or maybe you don't have the type_transition rule in your policy at all? > > > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
