Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 448292

Summary: Starting an init script as "./scriptname" fails with "Exec:: No such file or directory"
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2012-12-23 12:33:04 UTC
When trying to start or query an init script with relative path, it fails:

~# run_init ./puppet status
Authenticating root.
Exec:: No such file or directory

Other things that work and don't work:

etc # run_init ./init.d/puppet status
Authenticating root.
Exec:: No such file or directory

/ # run_init ./etc/init.d/puppet status
Authenticating root.
 * status: started

init.d #  run_init ../../etc/init.d/puppet status
Authenticating root.
 * status: started

Strace'ing shows:

18202 execve("./puppet", ["./puppet", "status"], [/* 22 vars */] <unfinished ...>
18200 <... select resumed> )            = 1 (out [3], left {0, 199989})
18202 <... execve resumed> )            = -1 ENOENT (No such file or directory)
18202 munmap(0x31eabbd3000, 4096 <unfinished ...>
18200 read(3,  <unfinished ...>
18202 <... munmap resumed> )            = 0
18200 <... read resumed> "Exec:: No such file or directory\n", 16384) = 33
18200 write(1, "Exec:: No such file or directory\n", 33 <unfinished ...>

No denials in place beyond the regular siginh/noatsecure/rlimitinh (which are dontaudited by default).

Reproducible: Always
Comment 1 schmitt953 2012-12-23 17:03:35 UTC
Besides that does the system function normally? I had this problem in strict and rebuilding the base policy worked, but in mcs that's no good.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-23 19:30:12 UTC
Yes, all other methods work just fine for this; "run_init rc-service puppet status" or "run_init /etc/init.d/puppet status".
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-17 11:04:11 UTC
It might not be so much a SELinux-policy related issue (as doing this in permissive mode gives the same result), perhaps more about the integrated run_init support. I'll look at that code and see what I can find...
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-17 15:07:33 UTC
I think I have it.

In run_init.c (not the Gentoo-specific one, the general run_init from policycoreutils), the command first changes the directory to "/" using chdir("/") (@ line 399) after which it calls open_init_pty with the arguments (@ line 424).

As a result, we get something like:

~# run_init ./puppet status
-> cd /
-> open_init_pty ./puppet status

Of course, there is no "/puppet" so the command fails.

I made a symlink to "/" for the init script to see if this is a good explanation (to see if it tries to execute the init script) and it did:

~# cd /
~# ln -s /etc/init.d/puppet
~# cd /etc/init.d
~# run_init ./puppet status
Authenticating root.
 * status: started

This chdir("/") is not documented in the code, but I assume that this is because the run_init_t and initrc_t (actually all domains) have the necessary search privileges in root_t. Otherwise, you'll get errors/denials about not being able to search the "current working directory".

I'll have to mark this as CANTFIX due to the above reasons, but i'll document it in the FAQ.