| Summary: | Starting an init script as "./scriptname" fails with "Exec:: No such file or directory" | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
| Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
| Status: | RESOLVED CANTFIX | ||
| Severity: | normal | ||
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Besides that does the system function normally? I had this problem in strict and rebuilding the base policy worked, but in mcs that's no good. Yes, all other methods work just fine for this; "run_init rc-service puppet status" or "run_init /etc/init.d/puppet status". It might not be so much a SELinux-policy related issue (as doing this in permissive mode gives the same result), perhaps more about the integrated run_init support. I'll look at that code and see what I can find... I think I have it.
In run_init.c (not the Gentoo-specific one, the general run_init from policycoreutils), the command first changes the directory to "/" using chdir("/") (@ line 399) after which it calls open_init_pty with the arguments (@ line 424).
As a result, we get something like:
~# run_init ./puppet status
-> cd /
-> open_init_pty ./puppet status
Of course, there is no "/puppet" so the command fails.
I made a symlink to "/" for the init script to see if this is a good explanation (to see if it tries to execute the init script) and it did:
"""
~# cd /
~# ln -s /etc/init.d/puppet
~# cd /etc/init.d
~# run_init ./puppet status
Authenticating root.
* status: started
"""
This chdir("/") is not documented in the code, but I assume that this is because the run_init_t and initrc_t (actually all domains) have the necessary search privileges in root_t. Otherwise, you'll get errors/denials about not being able to search the "current working directory".
I'll have to mark this as CANTFIX due to the above reasons, but i'll document it in the FAQ.
|
When trying to start or query an init script with relative path, it fails: """ ~# run_init ./puppet status Authenticating root. Exec:: No such file or directory """ Other things that work and don't work: """ etc # run_init ./init.d/puppet status Authenticating root. Exec:: No such file or directory / # run_init ./etc/init.d/puppet status Authenticating root. * status: started init.d # run_init ../../etc/init.d/puppet status Authenticating root. * status: started """ Strace'ing shows: """ 18202 execve("./puppet", ["./puppet", "status"], [/* 22 vars */] <unfinished ...> 18200 <... select resumed> ) = 1 (out [3], left {0, 199989}) 18202 <... execve resumed> ) = -1 ENOENT (No such file or directory) ... 18202 munmap(0x31eabbd3000, 4096 <unfinished ...> 18200 read(3, <unfinished ...> 18202 <... munmap resumed> ) = 0 18200 <... read resumed> "Exec:: No such file or directory\n", 16384) = 33 18200 write(1, "Exec:: No such file or directory\n", 33 <unfinished ...> """ No denials in place beyond the regular siginh/noatsecure/rlimitinh (which are dontaudited by default). Reproducible: Always