1

I have an RHEL 5.5 server with SELinux installed in strict mode. The system is in permissive mode currently. I am trying to write a simple shell script, say setest.sh and want to run it explicitly from the bash terminal.

In permissive mode I am able to do so, but it is logged as denied in the audit logs:

Sep  6 12:49:58 rhel-vm-003 kern 5 kernel: type=1400 audit(1315293598.916:45417): 
avc:  denied  { execute_no_trans } for  pid=26602 comm="bash" path="/var/tmp/setest.sh"
dev=sda1 ino=1017036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:test_policy_exec_t:s0 tclass=file

This obviously means that I will not be able to run the script from the bash console once I switch SELinux to enforcing mode. What allow/domain transition rule should I add in my policy modules so that this can work when SELinux is enforced?

Regards,
Nagendra U M

Nagendra U M
  • 601
  • 2
  • 6
  • 16

1 Answers1

0

When I run a web search on 'test_policy_exec_t', the only hit I get is this thread, so I presume it's a custom context that you've created. Just change the context to something normal and you'll be able to run the scripts.

On my RHEL 5 server with default sepolicy, the following generates nothing in the audit log.

 $ echo -e '#!/bin/sh\necho Hi!' > /var/tmp/setest.sh
 $ ls -Z /var/tmp/setest.sh
 -rw-r--r--  polgar users user_u:object_r:tmp_t            /var/tmp/setest.sh
 $ /var/tmp/setest.sh
 Hi!
nortally
  • 347
  • 2
  • 9