On Thu, 26 Apr 2007, Jon Peatfield wrote:

> Because of other problems it seems I can't run with selinux enabled, or at 
> least not right away.  Our %post fragment edits /etc/passwd (which works) and 
> a few other trivial things, and drops in a script 'postinstall' to be run 
> fairly late on in the boot.
>
> The postinstall script attemts to update several files in /etc (and other 
> places) using rsync -- and script fails because selinux won't let us copy 
> files to there using rsync.  If I log in as root (when I can!) after the 
> script has failed and run the bits by hand they all appear to work, it also 
> seems to (mostly) work from a later reboot, so there seems to be some state 
> getting set but I can't spot what it is...

Init scripts run in the initrc_t domain, that's probably why.

> Maybe if I get a little more time I'll try to find out if we can do better 
> than using 'selinux --permissive' but I'm using a fairly blunt instrument for 
> now...

In our firstboot init script, we use this to escape from initrc_t:

RUNCON=""
if [ -x /usr/sbin/selinuxenabled -a -x /usr/bin/runcon ]; then
     /usr/sbin/selinuxenabled && RUNCON="/usr/bin/runcon -t unconfined_t --"
fi

case "$1" in
     start)
 	$RUNCON do_things_not_allowed_in_initrc_t_domain


Hth,

-- 
Stephan Wiesand
   DESY - DV -
   Platanenallee 6
   15738 Zeuthen, Germany