448292 – Starting an init script as "./scriptname" fails with "Exec:: No such file or directory"

Bug 448292 - Starting an init script as "./scriptname" fails with "Exec:: No such file or directory"

Summary: Starting an init script as "./scriptname" fails with "Exec:: No such file or ...

Status:	RESOLVED CANTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-23 12:33 UTC by Sven Vermeulen (RETIRED)
Modified:	2013-03-17 15:07 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-12-23 12:33:04 UTC

When trying to start or query an init script with relative path, it fails:

"""
~# run_init ./puppet status
Authenticating root.
Exec:: No such file or directory
"""

Other things that work and don't work:

"""
etc # run_init ./init.d/puppet status
Authenticating root.
Exec:: No such file or directory

/ # run_init ./etc/init.d/puppet status
Authenticating root.
 * status: started

init.d #  run_init ../../etc/init.d/puppet status
Authenticating root.
 * status: started
"""

Strace'ing shows:

"""
18202 execve("./puppet", ["./puppet", "status"], [/* 22 vars */] <unfinished ...>
18200 <... select resumed> )            = 1 (out [3], left {0, 199989})
18202 <... execve resumed> )            = -1 ENOENT (No such file or directory)
...
18202 munmap(0x31eabbd3000, 4096 <unfinished ...>
18200 read(3,  <unfinished ...>
18202 <... munmap resumed> )            = 0
18200 <... read resumed> "Exec:: No such file or directory\n", 16384) = 33
18200 write(1, "Exec:: No such file or directory\n", 33 <unfinished ...>
"""

No denials in place beyond the regular siginh/noatsecure/rlimitinh (which are dontaudited by default).

Reproducible: Always

Comment 1 schmitt953 2012-12-23 17:03:35 UTC

Besides that does the system function normally? I had this problem in strict and rebuilding the base policy worked, but in mcs that's no good.

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-23 19:30:12 UTC

Yes, all other methods work just fine for this; "run_init rc-service puppet status" or "run_init /etc/init.d/puppet status".

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2013-03-17 11:04:11 UTC

It might not be so much a SELinux-policy related issue (as doing this in permissive mode gives the same result), perhaps more about the integrated run_init support. I'll look at that code and see what I can find...

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2013-03-17 15:07:33 UTC

I think I have it.

In run_init.c (not the Gentoo-specific one, the general run_init from policycoreutils), the command first changes the directory to "/" using chdir("/") (@ line 399) after which it calls open_init_pty with the arguments (@ line 424).

As a result, we get something like:

~# run_init ./puppet status
-> cd /
-> open_init_pty ./puppet status

Of course, there is no "/puppet" so the command fails.

I made a symlink to "/" for the init script to see if this is a good explanation (to see if it tries to execute the init script) and it did:

"""
~# cd /
~# ln -s /etc/init.d/puppet
~# cd /etc/init.d
~# run_init ./puppet status
Authenticating root.
 * status: started
"""

This chdir("/") is not documented in the code, but I assume that this is because the run_init_t and initrc_t (actually all domains) have the necessary search privileges in root_t. Otherwise, you'll get errors/denials about not being able to search the "current working directory".

I'll have to mark this as CANTFIX due to the above reasons, but i'll document it in the FAQ.