Hello, /etc/init.d/net.eth0 start Stays in inactive state if I execute it from selinux root context. Aug 25 00:51:09 alon1 /etc/init.d/net.eth0[8933]: WARNING: net.eth0 has started, but is inactive Aug 25 00:51:09 alon1 wpa_cli: interface eth0 CONNECTED Aug 25 00:51:11 alon1 dnsmasq[7695]: no servers found in /etc/resolv.conf, will retry Aug 25 00:51:12 alon1 wpa_cli: executing '/etc/init.d/net.eth0 --quiet start' failed If I start it from su environment it succeeds: Aug 25 00:51:58 alon1 /etc/init.d/net.eth0[9367]: WARNING: net.eth0 has started, but is inactive Aug 25 00:51:58 alon1 wpa_cli: interface eth0 CONNECTED Aug 25 00:51:59 alon1 dhcpcd[9490]: eth0: dhcpcd 3.0.16 starting
I have no idea about SELinux - the only hook we've ever had is in runscript.c and it's still there. The SELinux team will have to solve this.
(In reply to comment #0) > Hello, > > /etc/init.d/net.eth0 start > > Stays in inactive state if I execute it from selinux root context. Any scripts in /etc/init.d/ that are called manually have to be started from a sysadm_r role to be able to change its context so the process can access its files. # newrole -r sysadm_r [enter password] # /etc/init.d/net.eth0 start [enter password] This is deliberate. Otherwise, if you have manually edited files in /etc, they might not be labeled correctly, especially if using vim (try nvi instead). If so, try (as root, in an sysadm_r role): # restorecon -vR /etc Alternatively, if you have a lot of labels set wrong, "rlpkg -a" is your friend. However, it will take a LONG time.
(In reply to comment #2) > # newrole -r sysadm_r > [enter password] > # /etc/init.d/net.eth0 start > [enter password] > > This is deliberate. I know... Only net.ethX does not work during the pending->active transition. > > Otherwise, if you have manually edited files in /etc, they might not be labeled > correctly, especially if using vim (try nvi instead). Can't vi be patched to solve the above? > If so, try (as root, in > an sysadm_r role): > > # restorecon -vR /etc > > Alternatively, if you have a lot of labels set wrong, "rlpkg -a" is your > friend. However, it will take a LONG time. > Done, and does not work... Please note the following: Sep 10 00:04:14 alon1 audit(1189371854.165:1726): avc: denied { read } for pid=8412 comm="start-stop-daem" name="001" dev=tmpfs ino=99895 scontext=root:sysadm_r:run_init_t tcontext=root:object_r:tmpfs_t tclass=file Sep 10 00:04:14 alon1 audit(1189371854.165:1727): avc: denied { read } for pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket Sep 10 00:04:14 alon1 audit(1189371854.665:1728): avc: denied { write } for pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket Sep 10 00:04:14 alon1 audit(1189371854.665:1729): avc: denied { nlmsg_write } for pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=netlink_route_socket Sep 10 00:04:14 alon1 audit(1189371854.665:1730): avc: denied { read } for pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=packet_socket Sep 10 00:04:14 alon1 audit(1189371854.665:1731): avc: denied { write } for pid=8407 comm="wpa_supplicant" scontext=root:sysadm_r:run_init_t tcontext=root:sysadm_r:run_init_t tclass=packet_socket Sep 10 00:04:14 alon1 audit(1189371854.665:1732): avc: denied { execute } for pid=8419 comm="sh" name="wpa_cli.sh" dev=loop5 ino=776462 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_t tclass=file Sep 10 00:04:14 alon1 audit(1189371854.665:1733): avc: denied { execute_no_trans } for pid=8419 comm="sh" name="wpa_cli.sh" dev=loop5 ino=776462 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_t tclass=file Sep 10 00:04:14 alon1 audit(1189371854.665:1734): avc: denied { read } for pid=8421 comm="net.eth0" name="softlevel" dev=tmpfs ino=12864 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file Sep 10 00:04:14 alon1 audit(1189371854.665:1735): avc: denied { getattr } for pid=8421 comm="net.eth0" name="softlevel" dev=tmpfs ino=12864 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
closing stale bugs. please reopen if there is still a problem with current policy.