How to start up an unconfined service
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 3 18:31:33 UTC 2006
Orion Poplawski wrote:
> Daniel J Walsh wrote:
>> Orion Poplawski wrote:
>>> I'm running SGE (Sun Grid Engine) and the daemon is now starting up
>>> in the initrc_t domain. I really need it to be unconfined (I
>>> believe) as it can really do just about anything. How can I do this?
>>>
>> In targeted policy initrc_t is unconfined. I believe you could also
>> chcon -t unconfined_exec_t DAEMONPATH
>> to get the transition
>
> Okay, so the problem is with execmod then:
>
> audit(1144077767.717:1841): avc: denied { execmod } for pid=30457
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=hda3 ino=2913756
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:object_r:user_home_t:s0 tclass=file
>
> and:
>
> audit(1144077181.455:932): avc: denied { execmod } for pid=27638
> comm="lt-testhdf5" name="libhdf5.so.1.2.1" dev=dm-2 ino=6300972
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:default_t:s0 tclass=file
>
> I'm trying to build HDF5-1.7.52 and this is happening during the
> make-check phase. The first is doing an rpmbuild as a normal user.
> The second is with mock started by SGE.
>
You can turn off this check by setting allow_execmod boolean.
setsebool -P allow_execmod=1
Or you can label these files with textrel_shlib_t
chcon -t textrel_shlib_t libhdf5.so.1.2.1
More information about the fedora-selinux-list
mailing list