SELinux: Allow a bash script to run in Strict mode
I have an RHEL 5.5 server with SELinux installed in strict
mode. The system is in permissive
mode currently. I am trying to write a simple shell script, say setest.sh
and want to run it explicitly from the bash terminal.
In permissive mode I am able to do so, but it is logged as denied in the audit logs:
Sep 6 12:49:58 rhel-vm-003 kern 5 kernel: type=1400 aud开发者_JAVA技巧it(1315293598.916:45417):
avc: denied { execute_no_trans } for pid=26602 comm="bash" path="/var/tmp/setest.sh"
dev=sda1 ino=1017036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:test_policy_exec_t:s0 tclass=file
This obviously means that I will not be able to run the script from the bash console once I switch SELinux to enforcing mode. What allow/domain transition rule should I add in my policy modules so that this can work when SELinux is enforced?
Regards,
Nagendra U MWhen I run a web search on 'test_policy_exec_t', the only hit I get is this thread, so I presume it's a custom context that you've created. Just change the context to something normal and you'll be able to run the scripts.
On my RHEL 5 server with default sepolicy, the following generates nothing in the audit log.
$ echo -e '#!/bin/sh\necho Hi!' > /var/tmp/setest.sh
$ ls -Z /var/tmp/setest.sh
-rw-r--r-- polgar users user_u:object_r:tmp_t /var/tmp/setest.sh
$ /var/tmp/setest.sh
Hi!
精彩评论