开发者

SELinux: Allow a bash script to run in Strict mode

开发者 https://www.devze.com 2023-04-02 11:31 出处:网络
I have an RHEL 5.5 server with SELinux installed in strict mode. The system is in permissive mode currently. I am trying to write a simple shell script, say setest.sh and want to run it explicitly fro

I have an RHEL 5.5 server with SELinux installed in strict mode. The system is in permissive mode currently. I am trying to write a simple shell script, say setest.sh and want to run it explicitly from the bash terminal.

In permissive mode I am able to do so, but it is logged as denied in the audit logs:

Sep  6 12:49:58 rhel-vm-003 kern 5 kernel: type=1400 aud开发者_JAVA技巧it(1315293598.916:45417): 
avc:  denied  { execute_no_trans } for  pid=26602 comm="bash" path="/var/tmp/setest.sh"
dev=sda1 ino=1017036 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:test_policy_exec_t:s0 tclass=file

This obviously means that I will not be able to run the script from the bash console once I switch SELinux to enforcing mode. What allow/domain transition rule should I add in my policy modules so that this can work when SELinux is enforced?

Regards,

Nagendra U M


When I run a web search on 'test_policy_exec_t', the only hit I get is this thread, so I presume it's a custom context that you've created. Just change the context to something normal and you'll be able to run the scripts.

On my RHEL 5 server with default sepolicy, the following generates nothing in the audit log.

 $ echo -e '#!/bin/sh\necho Hi!' > /var/tmp/setest.sh
 $ ls -Z /var/tmp/setest.sh
 -rw-r--r--  polgar users user_u:object_r:tmp_t            /var/tmp/setest.sh
 $ /var/tmp/setest.sh
 Hi!
0

精彩评论

暂无评论...
验证码 换一张
取 消