From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <52B2190F.1020100@tycho.nsa.gov> Date: Wed, 18 Dec 2013 16:52:15 -0500 From: Stephen Smalley MIME-Version: 1.0 To: Jay Corrales Subject: Re: /bin/bash: Bad interpreter: Permission denied. References: <52B20217.8030908@tycho.nsa.gov> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Cc: SELinux@tycho.nsa.gov List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 12/18/2013 04:46 PM, Jay Corrales wrote: > ls -Z shows system_u:object_r:awips_exec_t. If execute_no_trans allow > is add, it does not run in the awips_exec_t domain, but in user_t. Um, what is the file mode, i.e. is it executable? > > On 12/18/13, Stephen Smalley wrote: >> On 12/17/2013 11:23 AM, Jay Corrales wrote: >>> Folks, >>> >>> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and >>> enforcing mode, and finding that something in our configuration prevents >>> a >>> simple shell script from domain transitioning from user_t to awips_t >>> context. If we run a test virtual machine with a new install of rhel5, it >>> does run OK, but something in our current configuration prevents this >>> result. Wondering if it makes sense to run a tool like apol to find any >>> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC >>> requiring execute_no_trans for user_t (no listed here). >> >> Here you say you have a execute_no_trans denial. >> >>> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p >>> execute >> >> Here you search for execute permission. >> >> They are different. >> >> Also, what does ls -Z show for the script? >> >> >> > >