>Yes, I hadn't looked for the avc denied message (I'm used to
>seeing them when I run at the console but did the "ping" test
>in an xterm), but it's there: create denied for rawip_socket.

Right. So you could define a special domain just for the ping program (and perhaps related utilities), say ping_t with an entrypoint type ping_exec_t, and authorize it to create and use raw IP sockets, e.g. allow ping_t self:rawip_socket rw_socket_perms;

>It's not that I need to prevent ordinary users from executing
>this particular program; I just thought that doing so would
>increase my understanding of selinux configuration. After I turn
>on security I can't execute tiger (a shell script) as root or as
>an ordinary user. I think the interesting parts of the avc denied
>message are:

> { execute }
> exe=/bin/bash
> path=/usr/local/src/tara-2.0.0/tiger
> tclass=file

Actually, the scontext and tcontext information is very important - it shows the real reason for the failure (it shows the relevant domain and type for which execute permission was denied). In this case, it seems likely that the type of files in /usr/local/src is not one of the types to which execute access is granted by the policy configuration, typically using the can_exec_any macro in macros.te.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.