How to start up an unconfined service

Daniel J Walsh dwalsh at
Mon Apr 3 18:31:33 UTC 2006

Orion Poplawski wrote:
> Daniel J Walsh wrote:
>> Orion Poplawski wrote:
>>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up 
>>> in the initrc_t domain.  I really need it to be unconfined (I 
>>> believe) as it can really do just about anything.  How can I do this?
>> In targeted policy initrc_t is unconfined.  I believe you could also 
>> chcon -t unconfined_exec_t DAEMONPATH
>> to get the transition
> Okay, so the problem is with execmod then:
> audit(1144077767.717:1841): avc:  denied  { execmod } for  pid=30457 
> comm="lt-testhdf5" name="" dev=hda3 ino=2913756 
> scontext=user_u:system_r:unconfined_t:s0 
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
> and:
> audit(1144077181.455:932): avc:  denied  { execmod } for  pid=27638 
> comm="lt-testhdf5" name="" dev=dm-2 ino=6300972 
> scontext=system_u:system_r:initrc_t:s0 
> tcontext=system_u:object_r:default_t:s0 tclass=file
> I'm trying to build HDF5-1.7.52 and this is happening during the 
> make-check phase.  The first is doing an rpmbuild as a normal user.  
> The second is with mock started by SGE.
You can turn off this check by setting allow_execmod boolean.

setsebool -P allow_execmod=1

Or you can label these files with textrel_shlib_t

chcon -t textrel_shlib_t

More information about the fedora-selinux-list mailing list