Christian Göttsche wrote:
> The following statements should be redundant by using init_daemon_domain():
> allow init_t gateway_exec_t : file { read getattr execute open } ;
> allow init_t gateway_t : process { transition siginh } ;
> type_transition init_t gateway_exec_t : process gateway_t;
>
> The fact that the domain transition is not triggering means either the
> subject process is not labeled init_t or the entry point is not
> labeled gateway_exec_t; search for avc messages regarding the
> permission execute_no_trans.
>
>
> [1]: https://github.com/SELinuxProject/refpolicy/blob/8e8f5e3ca3e5900cad126cb8b4fadaa8adb8caac/policy/modules/system/init.if#L343-L348
>
I've spent quite a bit of time trying to recreate the situation to no avail, I think it might be conflicts with systemd and kernel security features as I just ran into this not starting for another service yesterday with nnp and sesearch indeed contained the "allow init_t proxy_t:process2 { nnp_transition nosuid_transition };"
Completely uninstalling the policy and reinstalling fixed it (which is how it was updated), I definitely missed something.
Thank you for all the help.
- John
