Subject: | |
From: | |
Reply To: | |
Date: | Sun, 29 Apr 2007 16:40:09 +0200 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 26 Apr 2007, Jon Peatfield wrote:
> Because of other problems it seems I can't run with selinux enabled, or at
> least not right away. Our %post fragment edits /etc/passwd (which works) and
> a few other trivial things, and drops in a script 'postinstall' to be run
> fairly late on in the boot.
>
> The postinstall script attemts to update several files in /etc (and other
> places) using rsync -- and script fails because selinux won't let us copy
> files to there using rsync. If I log in as root (when I can!) after the
> script has failed and run the bits by hand they all appear to work, it also
> seems to (mostly) work from a later reboot, so there seems to be some state
> getting set but I can't spot what it is...
Init scripts run in the initrc_t domain, that's probably why.
> Maybe if I get a little more time I'll try to find out if we can do better
> than using 'selinux --permissive' but I'm using a fairly blunt instrument for
> now...
In our firstboot init script, we use this to escape from initrc_t:
RUNCON=""
if [ -x /usr/sbin/selinuxenabled -a -x /usr/bin/runcon ]; then
/usr/sbin/selinuxenabled && RUNCON="/usr/bin/runcon -t unconfined_t --"
fi
case "$1" in
start)
$RUNCON do_things_not_allowed_in_initrc_t_domain
Hth,
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany
|
|
|