On Thu, 26 Apr 2007, Jon Peatfield wrote: > Because of other problems it seems I can't run with selinux enabled, or at > least not right away. Our %post fragment edits /etc/passwd (which works) and > a few other trivial things, and drops in a script 'postinstall' to be run > fairly late on in the boot. > > The postinstall script attemts to update several files in /etc (and other > places) using rsync -- and script fails because selinux won't let us copy > files to there using rsync. If I log in as root (when I can!) after the > script has failed and run the bits by hand they all appear to work, it also > seems to (mostly) work from a later reboot, so there seems to be some state > getting set but I can't spot what it is... Init scripts run in the initrc_t domain, that's probably why. > Maybe if I get a little more time I'll try to find out if we can do better > than using 'selinux --permissive' but I'm using a fairly blunt instrument for > now... In our firstboot init script, we use this to escape from initrc_t: RUNCON="" if [ -x /usr/sbin/selinuxenabled -a -x /usr/bin/runcon ]; then /usr/sbin/selinuxenabled && RUNCON="/usr/bin/runcon -t unconfined_t --" fi case "$1" in start) $RUNCON do_things_not_allowed_in_initrc_t_domain Hth, -- Stephan Wiesand DESY - DV - Platanenallee 6 15738 Zeuthen, Germany