Magic! Thank you so much Dan! audit3allow is perfect. From: tclug-list-bounces at mn-linux.org [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Dan Burkland Sent: Wednesday, June 09, 2010 11:45 AM To: tclug-list at mn-linux.org Subject: [tclug-list] SELinux config to allow bash script to sudo? I'm seeing these SELinux messages, and have been trying to learn how to config SELinux to allow the script to sudo. CLI works fine with sudo. "SELinux is preventing /bin/bash "execute" access on /usr/bin/sudo." "SELinux is preventing /bin/bash "getattr" access on /usr/bin/sudo." It seems I must create a "local policy module". Anyone know this stuff and can confirm? I've been Googling up a storm looking for others that have already done this but have not found anything. I found the /usr/share/selinux/ dir structure with some existing ones, but nothing with sudo in the name. Will need to figure out how to create it. I also tried setting the -r (role) and -t (type) arguments to the sudo command before embarking on a policy module. So I'm not sure if that should work on its own (maybe using incorrect values or something) or selinux needs config with or without the sudo args too? Or is there a better way to invoke a privileged command as non-root user than sudo? ---------------- You can create a local selinux module by using audit2allow as root. 1) grep "sudo" /var/log/audit/audit.log | audit2allow -M sudobashfix 2) semodule -i sudobashfix.pp Regards, Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20100609/5cad8dc7/attachment.htm