From: yada@big.or.jp (Tomoki YADA)
Date: Sat, 06 Sep 2008 15:16:17 +0900
Subject: [refpolicy] CentOS: DIRECT_INITRC option problem
Message-ID: <20080906144533.E746.8B453AD9@big.or.jp>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I have a problem of the different behavior from what I expected
when I set "DIRECT_INITRC = y".
I'm using CentOS 5.2 with the latest updates as of today.
I downloaded the latest version of the refpolicy, or refpolicy-20080702.tar.bz2
and I built it the following settings.
TYPE = mcs
DISTRO = redhat
DIRECT_INITRC = y
MONOLITHIC = y

Instead of "DIRECT_INITRC = y", however, when I tried directly
running an init script, for example /etc/init.d/sshd status,
I got the following message.
#/etc/init.d/sshd status
-bash: /etc/init.d/sshd: Permission denied

I found error messages in /var/log/audit/audit.log.
This is the message.

type=USER_AVC msg=audit(1220604894.436:66): user pid=1685 uid=81 auid=4294967295
subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce
notice (enforcing=1) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1220604900.764:67): avc:  denied  { execute } for  pid=1895
comm="bash" name="sshd" dev=dm-0 ino=622892 scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c255
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1220604900.764:67): arch=40000003 syscall=11
success=no exit=-13 a0=820d018 a1=820d068 a2=8207ad0 a3=0 items=0
ppid=1873 pid=1895 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty1 ses=1 comm="bash" exe="/bin/bash"
subj=root:sysadm_r:sysadm_t:s0-s0:c0.c255 key=(null)
type=AVC msg=audit(1220604900.764:68): avc:  denied  { execute } for  pid=1895
comm="bash" name="sshd" dev=dm-0 ino=622892
scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c255
tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file


What do I do to directly run an init script
without using the run_init tool?
Could someone help me please?

Thanks in advance.