Hello -

I am encountering an issue with SELinux. I have a homemade shell script that I want to execute from a remote server. This shell script works when I execute it locally - it just cd's to a home directory on the box and reads a text file - but when I try to execute it from a remote server, the script acts like it can't read that prespecified home directory.

The denial I'm getting is:

type=AVC msg=audit(1356100819.930:404): avc: denied { getattr } for pid=2257 comm="myscript.sh" path="/home" dev="dm-2" ino=2 scontext=system_u:system_r:nrpe_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1356100819.930:404): arch=c000003e syscall=4 success=no exit=-13 a0=1f51760 a1=7fff053f4ba0 a2=7fff053f4ba0 a3=14 items=0 ppid=2256 pid=2257 auid=4294967295 uid=997 gid=996 euid=997 suid=997 fsuid=997 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="myscript.sh" exe="/usr/bin/bash" subj=system_u:system_r:nrpe_t:s0 key=(null)

I've tried an audit2allow of this and loaded the resulting policy, but without success. Any thoughts or advice on how to understand what is going on here? I'm not familiar with this syscall behavior, but the issue is related to SELinux, since permissive allows that script to be executed as desired.

Thanks in advance.

'ausyscall' says "syscall=4" is write, not read?


Why does "myscript.sh" reside in "/home" and not in `awk -F':' '/997:/ {print $6}' /etc/passwd` like it should?