On Tue, Apr 7, 2020 at 12:19 PM Joe Nall <joe@xxxxxxxx> wrote: > > When a shell script "fu" is run in a type and has it's own _exec_t > ls -Z fu -rwxr-xr-x. root root system_u:object_r:futype_exec_t:SystemLow fu > should futype_t require > allow futype_t shell_exec_t:file execute; > to exec the shell? > I ask because we seem to be seeing different results on this question between RHEL 7.7 and 7.8 and we could not decide what was actually correct. Logically, execute should be required here (but not entrypoint). The precise behavior may vary depending on changes to the kernel exec logic outside of SELinux itself, e.g. see https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f834ec18defc369d73ccf9e87a2790bfa05bf46 https://lore.kernel.org/selinux/8aaae08c-8fde-45e6-82d6-e75183aa74d2@xxxxxxxxxxxxx/ although those were with respect to the ELF interpreter rather than the shell interpreter.
